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MULTIWAY ELECTION METHOD AND APPARATUS 

CROSS-REFERENCE TO RELATED APPLICATIONS 

This application claims the benefit of U.S. Provisional Patent Application 
Nos. 60/126,080 and 60/149.621. filed March 25, 1999 and August 16. 1999, 
5 respectively, both currently pending. 

TECHNICAL FIELD 

The following relates generally to encryption, and more specifically to 
electronic encryption employed in voting schemes. 

BACKGROUND OF THE INVENTION 

10 Requirements for an electronic voting scheme represent one of the most 

challenging in secure multi-party computation. Privacy of the voter must be protected, 
strict audit trails must be in-place, and the system must be easy to use and administer. 
Furthermore, ballot types range from simple yes/no initiatives to complex multi-way 
candidate races allowing the possibility for write-in candidates. 

15 Considerable work has been done to develop a secure and efficient 

electronic voting scheme. These approaches fall into two categories: (1) those based on 
anonymous channels and (2) those based on number-theoretic techniques without 
anonymous channels. 

Schemes that use anonymous channels to protect the voter's privacy are 

20 described in D. Chaum. "Untraceable electronic mail, return addresses, and digital 
pseudonyms," Communications of the ACM, 24(2):84-88, 198 1 ; A. Fujioka, T. Okamoto, 
K. Ohta, "A practical secret voting scheme for large scale elections," Advances in 
Cryptology - AUSCRYPT '92, Lecture Notes in Computer Science, pp. 244-251, 
Springer- Verlag, 1992; and C. Park, K. Itoh, K. Kurosawa, "Efficient anonymous channel 

25 and all/nothing election scheme," Advances in Cryptology - EUROCRYPT '93, Lecture 
Notes m Computer Science, pp. 248-259, Springer- Verlag, 1993. These schemes are 

1 
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efficient and allow arbitrary ballot types {yes/no, d-of-N options, write-ins). However, 
the most significant disadvantage of such schemes is that the voter is responsible for 
insuring that their vote was accounted for in the fmal election tally. This "individual 
verifiability" property is highly impractical for public-sector elections. Essentially, no 
independent observer can verify the election. 

Number-theoretic schemes that do not use anonymous channels 
(homomorphic schemes) are described in J. Benaloh, "Secret Sharing Homomorphisms: 
Keeping Shares of a Secret Secret," Advances in Cryptology - CRYPTO *86, Lecture 
Notes in Computer Science, pp. 251-260, Springer- Veriag, Berlin 1987; J. Benaloh, M. 
Yung, "Distributing the power of a government to enhance the privacy of voters," ACM 
Symposium on Principles of Distributed Computing, pp. 52-62, 1986; K. Sako, J. Kilian, 
"Secure voting using partially compatible homomorphisms, Advances in Cryptology- 
CRYPTO *94, Lecture Notes in Computer Science, Springer- Veriag, 1994; R. Cramer, M. 
Franklin, B. Schoenmakers, M. Yung, "Multiauthority secret-ballot elections with linear 
work," Advances in Cryptology - EUROCRYPT '96 Lecture Notes in Computer Science, 
Springer- Veriag, Beriin, 1996; R. Cramer, R. Gennaro, B. Schoenmakers, "A secure and 
optimally efficient multi-authority election scheme," Advances in Cryptology - 
EUROCRYPT *97, Lecture Notes in Computer Science, Springer-Veriag, 1997; U.S. 
Patent No. 5,495,532, J. Kilian, K. Sako, "Secure electronic voting using partially 
compatible homomorphisms," issued 2/27/1996, filed 8/19/1994; U.S. Patent No. 
5,682,430, J. Kilian, K. Sako, "Secure anonymous message transfer and- voting scheme," 
issued 10/28/1997, filed 1/23/1995. These schemes enjoy a "universal verifiability" 
property where anyone can verify the election without compromising voters* privacy. 
The system under Cramer et al., employs threshold cryptosystems to achieve robustness 
in the face of faulty authorities. The systems under Benaloh and Sako/Kilian employ 
(verifiable) secret-sharing to achieve the same goal but at greater computational cost to 
the voter. However, these schemes do not necessarily support arbitrary ballot types and 
suffer from higher computational requirements. The two categories for electronic voting 
schemes are described below. 

Accountability of anonymous channel/mixer schemes. On the surface, 
anonymous channel/mixer schemes appear to meet audit requirements because there is a 
verifiable public record of the registered voters who asked for a signed, serialized, 

[32462-800l/SU)03694.730] 2 
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blinded ballot. Most likely, this would take the form of a public database containing all 
of the voter-signed ballot requests from the first half of the protocol. This prevents the 
authority from generating extra fake ballots or deleting valid ballots, since the number of 
ballots must match the number of valid requests. Since each request must be signed with 
5 a registered voter's private key, the authority cannot mask extra ballots by submitting and 
fiilfiUing fake ballot requests for registered voters who did not vote. When the polls 
close, an authority would make sure that the signature on each request matches one, and 
only one, registered voter's public key, and that the number of ballot requests matches the 
number of submitted ballots. 

10 There is a problem in that the number of submitted ballots legitimately can 

be less than the number of ballot requests. The leading cause for this would be a voter 
changing his/her mind about voting after receiving a ballot but before submitting it. With 
a good acknowledge protocol, this would require canceling the vote or turning off the 
computer in a very narrow time window. It could also happen if a network outage or 

15 failure of the voter's computer occurs in the same time window and is not corrected 
before the polls close. Both cases are fairly tmlikely, but they do have a finite probability 
and the odds improve as the number of voters increases. Authorities would have a tough 
time tracking down the reason(s) for the discrepancy. Conceivably, a voter could prove a 
failure by providing a copy of the signed ballot serial number after the polls close. 

20 Authorities would know that the number was issued but not used, and could 

allow the voter to restart the protocol from the beginning. In any event, the number of 
missing ballots from this source should be small, which prevents the authority from 
throwing away many ballots. However, the hole might be more serious for very small 
precincts or in races decided by a small margin. 

25 The most serious attacks, which are a direct consequence of the lack of 

verifiability, keep the number of requests and the number of ballots identical. One attack 
involves the authority (1) modifying (and resigning) submitted ballots or (2) deleting and 
substituting new ballots. Another attack involves deleting ballots and a corresponding 
number of random ballot requests from the database. 

30 These attacks are possible because the protocol deliberately severs the 

coimection between the ballot request and the submitted ballot. As such, there is no way 
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that an independent observer can detect that the ballots are the same as those that were 
submitted, or even that all submitted ballots are still present. 

An appropriate counter to these attacks is a bit commitment on the signed 
ballot retumed to the voter as noted by the papers by A. Fujioka, T. Okamoto, K. Ohta 

5 and Park, K. Itoh, K. Kurosawa. The voter, then, can detect attacks v/here the voted 
ballot and/or ballot serial number have been modified by checking to make sure that 
his/her ballot number is present among the published ballots and that it contains the 
correct vote. Note that the voter must also make sure that his/her signed ballot request is 
present; otherwise, the authority could have deleted it to offset the deletion of someone 

10 else's ballot. If something is amiss, the voter can dispute the election results. Again, this 
is weak protection because a significant number of voters must perform the verification. 

It might be argued that a corrupt authority would have to gamble that most 
voters will not bother to verify their requests and ballots. The larger the number of 
ballots modified or deleted, the greater the risk of exposure. Even if there is no way to 

15 prove that the disputing voters are not lying, a proportionately large number of disputes 
would certainly raise suspicion and lend credibility to the disputers. In any event, no 
concrete proof of tampering may be possible. In the end, anonymous channel/mixer 
schemes completely rely on voter verification to ensure that there has been no tampering. 
Traffic analysis of anonymous channel/mixer schemes. With anonymous 

20 chaimel/mixer schemes, concealing the network address of a submitted ballot is not good 
enough for very slow traffic periods. For example, if only one voter submits a ballot for 
signature and the corresponding unblinded ballot in a given period, the authority will 
know how the voter voted, even if the network address is concealed. A cumbersome 
remedy might be to buffer ballots on some machine under the control of a different set of 

25 authorities. 

Multi-way homomorphic schemes. Previously homomorphic schemes 
exhibit universal verifiability for simple ballots (/.e., yes/no, N-of-N approval) but do not 
generalize to <i-of-A/^ multi-way ballots. The system under Cramer et al., contains a multi- 
way ballot methodology, but it only works for ballots in which the voter must choose 1- 
30 of'N candidates. No previous systems address ballots in which the voter may choose d- 
of'N candidates. Such ballots are quite common in both public and private elections. 
Also, the Cramer et al., system employs an algorithm for determining the tally as 0{l^'^y 

4 
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which is not practical for commonly encountered values of N and/or large numbers of 
voters, /. Thus, this system may be practical for yes/no elections, but may not be practical 
for multi-candidate races containing more than a few candidates in large precincts. 

SUMMARY 

5 The election scheme presented here overcomes these limitations by (1) 

significantly reducing the work required to tally a multi-way election and (2) enforcing 
that multi-way ballots are well-formed without opening the ballots. We also present our 
scheme in both Zp, elliptic curve and general group contexts, present techniques for 
supporting write-in candidates, and provide a practical implementation approach for 

10 supporting an uneraseable "ballot box." 

Efficient multi-way ballots. Described below is an efficient multi-way 
scheme and associated protocol that reduces the work in tallying the election from 0(1^'^) 
to 0{lN). This improvement is a direct outgrowth of converting a d-of-N option into N,l- 
of-2 options and tallying the votes for each option separately. Only N-l (instead of N), 

15 0(lN) tallies must be computed for d-of-N races. 

Multi-way zero-knowledge proofs. The above ballot formulation alone is 
insufficient to restrict voting for more than d options (/.e., submitting an ill-formed 
ballot). To guard against such attacks, the N encrypted votes are subjected to a zero- 
knowledge proof of validity. The proof ensures that the encrypted ballot meets the d-of- 

20 N condition (/.e, no overvoting) without revealing which d options are selected. 

Elliptic curve and General Group formulations. Beyond the Zp setting, 
the scheme is extended to the elliptic curve setting and more general group settings. This 
includes adapting threshold cryptosystem protocols to elliptic curves and developing 
efficient zero-knowledge proofs of validity. 

25 Support for write-in candidates. No work has been done to support the 

seldom used, but frequently required, write-in candidate. The scheme provides a write-in 
framework that integrates well within the protocol. 

Although the papers by J. Benaloh, M. Yung and Cramer, R. Gennaro, B. 
Schoenmakers make the observation that multi-way races can be reduced to independent 

30 races, the prior art fails to address the problem of how to limit the number of choices. 
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which is normally required. The below multi-way zero knowledge proof does so by 
combining the individual yes/no votes into a single zero-knowledge proof. The proof 
ensures that the voter casts no more than dyes votes. 

"Amortization," in cryptography, can be used to combine multiple votes 
into a single zero-knowledge proof, thus saving significant bandwidth and computation. 
However, the prior art, namely the paper by K. Sako, J. Kilian, does not discuss the 
ability of the proof to limit the number oiyes votes. Furthermore, proofs under the prior 
art, namely the paper by R. Cramer, R. Geimaro, B. Schoenmakers, only ensures that the 
votes are well-formed, and rely on the tally computation to limit the voter to a single yes 
vote. Prior approaches apply amortization to the specific problem of proving d-of-N 
ballots. I ' 

The scheme below effectively characterizes multi-way races as being 
reduced to N individual yes/no races. Thus, the scheme described below employs 
homomorphic encryption to reduce a balance of N candidates to N number of binary or 
yes/no votes, one for each candidate. Thus for a ballot of six candidates, a voter votes for 
one of six, and no for the other five. The inventive protocol ensures that each voter 
indeed voted for only one of six candidates, under this example. Benaloh and Yung state 
that approval voting (where a voter may cast a vote for any number of the given 
candidates) is really just a case of several independent >'e5/wo votes. However, although 
the observation is made, no method is given for processing multi-way elections that 
reduces to several independent >'e5/no votes and enforces well-formed, d-of-N, votes. 

The computational load of prior systems is significantly reduced from 
exponential to linear. Oiu: methodology supports ballots where the voter may choose d- 
of'N candidates, which effectively handles both the 1-of-A^ case and the, more general, d- 
of'N case. Moreover, the computational load required to determine the tally is linear 
instead of exponential in as under the method described by R. Cramer, R. Germaro, B. 
Schoenmakers, so it can practically support large values ofd, N, and /. Table 1 illustrates 
the comparative computational load improvement. 
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Table 1: Computational requirements comparison of technique by R. 
Cramer, R. Gennaro and B. Schoeranakers vs. the present scheme 



Precinct Voters, / 


Candidates, N 


Prior Art 


Present 
Scheme 


10 


5 


lO'^ 


40 


100 


5 


10* 


400 


1000 


5 


10'2 


4000 


10 


10 


10' 


90 


100 


10 


10'« 


900 


1000 


10 


10^^ 


9000 



5 Described below is a formulation for using elliptic curves for both the zero- 

knowledge proofs and the tallying, which improves security, reduces the required key 
lengths dramatically, and significantly reduces bandwidth requirements. Both the 
systems by K. Sako, J. Kilian, and R. Cramer, R. Gennaro, B. Schoenmakers, mention 
using elliptic curves instead of subgroups of Zp, Neither presents a methodology for 

10 doing so, and neither discusses the significant efficiency enhancements of elliptic curves 
within the voting context. Furthermore, both contexts are adapted to the below scheme 
for efficient multi-way elections. 

In sum, the invention described herein overcomes the limitations of the 
prior art and provides numerous additional benefits. The above brief summary presents 

15 only some embodiments or aspects of the invention. Some simplifications and omissions 
were made in the simimary, because the summary is intended to highlight and introduce 
only some aspects of the disclosed embodiments, not to limit the scope of the invention. 
Presented below is a detailed description of illustrated and suitable embodiments, which 
will permit one skilled in the relevant art to make and use aspects of the invention. One 

20 skilled in the relevant art can obtain a fiiU appreciation of aspects of the invention from 
the detailed description, read together with the figures, and from the claims (which follow 
the detailed description). 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram illustrating a suitable environment for 
implementing embodiments of the invention. 

Figure 2 is flow diagram illustrating voter ballot creation voting protocol 
5 under one embodiment. 

Figure 3 is a flow diagram illustrating a ballot verification protocol under 
one embodiment. 

Figure 4 is a flow diagram illustrating a complete multi-way electronic 
election protocol. 

10 Figure 5 is a flow diagram showing a tabulation search enhancement for 

more rapidly computing a decrypted tally of votes, over trial and error methods. 

In the drawings, identical reference numbers identify identical or 
substantially similar elements or steps. To easily identify the discussion of any particular 
element or step, the most significant digit or digits in a reference number refer to the 

15 figure number in which that element or step is furst introduced and discussed (e.g., step 
204 is first introduced and discussed with respect to Figure 2). The headings provided 
herein are for convenience only, and do not affect the scope or meaning of the claimed 
invention. 

DETAILED DESCRIPTION 

20 The following description provides specific details for a thorough 

understanding of, and enabling description for, embodiments of the invention. However, 
one skilled in the relevant art will understand that the invention may be practiced without 
these details. In other instances, well-known structures and functions have not been 
shown or described in detail to avoid unnecessarily obsciuing embodiments of the 

25 invention. 

Much of the detailed description provided herein is explicitly disclosed in 
the provisional patent applications noted above; most or all of the additional material will 
be recognized by those skilled in the relevant art as being inherent in the detailed 
description provided in such provisional patent applications, or well known to those 
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skilled in the relevant art. Those skilled in the relevant art can implement the invention 
based on the detailed description provided in the provisional patent applications. 

The system is described below with / voters Vu...yi and n authorities 
Au,,.\Ar, interacting through a "bulletin board," typically implemented by a web server. 

5 Ballots are posted by voters to an area on the bulletin board called a "ballot box." 

Ballots are encrypted and are never decrypted. The scheme uses Zp, elliptic 
curve or general group cryptosystems. Homomorphic properties of the encryption allow 
ballots to be "combined" to produce encrypted tallies. This ensures "universal 
verifiability" since anyone can (1) see who voted without seeing how they voted, 

10 (2) verify that all ballots are well formed, (3) duplicate the combination of the encrypted 
ballots to obtain the encrypted tally, and (4) verify computation of the decrypted tally 
from the encrypted tally. 

Ballots are accompanied by zero-knowledge proofs of validity to insure that 
a voted ballot includes allowable options, without leaking any information about which 

15 ballot option is chosen. Furthermore, the below system employs the Fiat-Shamir 
heuristic, which is described in A. Fiat, A. Shamir, "How to prove yourself: Practical 
solutions to identification and signature problems," Advances in Cryptology - CRYPTO 
'86 Lecture Notes in Computer Science, pp. 186-194, Springer- Verlag, New York, 1987, 
to create non-interactive proofs. 

20 The encrypted tally is decrypted by t-of-n authorities without reconstructing 

the authorities' private keys, using threshold encryption techniques. The decryption 
protocol requires a zero-knowledge proof which ensures that the correct ciphertext has 
been decrypted using the private-key share corresponding to the authorities' group public- 
key. Hence, compromise of the election results or voter privacy would require a 

25 conspiracy of at least t-of-n authorities. Even if all authorities conspire, they cannot 
conspire to fabricate the election results. 

The mathematical notation used here is readily understandable to those 
skilled in the relevant art; however, for those unfamiliar with the art, the following 
definitions and descriptions are provided. Such definitions, although brief, will help 

30 those generally xmfamiliar with the art to more fully understand aspects of the invention 
based on the detailed description provided herein. Such defmitions are further defmed by 
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the description of the invention as a whole (including the claims), and not simply by such 
definitions. 

Figures 2, 3, 4 and 5, as well as the detailed description provided herein, 
describe protocols between a voter and verifier (or between a proving party and a 
verifying party). The action performed by the parties are grouped together into flow 
diagram boxes. Each line of text or equations in a box describes a step, such as a 
computation, transmittal of inforaiation, or storage or retrieval fimction. Such flow 
diagrams are read line by line and box by box. 

The term "party" as generally used herein, indicates an entity, and might be 
an agent who performs a step or a collection of steps under the protocol. It may also refer 
to a means or method for performing some or all of the steps. Thus, some or all portions 
of the protocols may be performed under any suitable configuration of digital logic 
circuitry. For example, any or all steps under the protocol may be realized by not only a 
general purpose computer, such as a personal computer, but by a hard-wired or dedicated 
combinatorial logic device, or any sort of suitably programmed machine or 
microprocessor, so long as such device or machine performs the required processing 
steps, storage, input and output, and the like. 

The symbol generally denotes the assignment fimction, which 

indicates that a variable or symbol on a left side of an equation is assigned a value or 
values on a right side of that equation. Assignments do not necessarily imply storage 
space or memory use, but may refer to intermediate computations performed in random- 
access memory or within a CPU. 

The symbol " Gr" generally indicates that a number or numbers on flie left- 
hand side are chosen from a set on the right-hand side according to a probability 
distribution that is substantially uniform and independent (random). In practice, a 
physical random number generator can be used, possibly in conjunction with additional 
post-processing, or a deterministic pseudo-random number generator. Methods of 
generating random mmibers are known by those skilled in the relevant art. 

The symbol "Z/' denotes a set of numbers of integers 0 through P-1, or ring 
of integers, modulo P. Addition and multiplication of elements in the ring Zp are defmed 
modulo P. 

10 
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The symbols "11" and respectively denote product and sum, which are 

indexed. 

Figure 1 and the following discussion provide a brief, general description of 
a suitable computing environment in which aspects of the invention can be implemented. 
Although not required, embodiments of the invention will be described in the general 
context of computer-executable instructions, such as routines executed by a general- 
purpose computer, such as a personal computer or web server. Those skilled in the 
relevant art will appreciate that aspects of the invention (such as for small elections) can 
be practiced with other computer system configurations, includmg Internet appliances, 
hand-held devices, multiprocessor systems, microprocessor-based or programmable 
consumer electronics, network PCs, mini computers, cell phones, mainframe computers, 
and the like. Aspects of the invention can be embodied in a special purpose computer or 
data processor that is specifically programmed, configured or constructed to perform one 
or more of the computer-executable instmctions explained herein. Lideed, the term 
"computer," as generally used herein, refers to any of the above devices, as well as any 
data processor. 

The invention can also be practiced in distributed computing environments 
where tasks or modules are performed by remote processing devices, which are linked 
through a conmixmications network, such as a Local Area Network (LAN), Wide Area 
Network (WAN), and the Intemet. In a distributed computing environment, program 
modules or sub-routines may be located in both local and remote memory storage 
devices. The invention described herein may be stored or distributed on computer- 
readable media, including magnetic and optically readable and removable computer disks, 
as well as distributed electronically over the Intemet or other networks (including 
wireless networks). Those skilled in the relevant art will recognize that portions of the 
protocols described herein reside on a server computer, while corresponding portions 
reside on client computers. Data structures and transmission of data particular to such 
protocols are also encompassed within the scope of the invention. 

Unless described otherwise, the construction and operation of the various 
blocks shown in Figure 1 are of conventional design. As a result, such blocks need not be 
described in further detail herein, as they will be readily imderstood by those skilled in 
the relevant art. 

11 
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Referring to Figure 1, a suitable environment of system 100 includes one or 
more voter or client computers 102, each of which includes a browser program module 
104 that permits the computer to access and exchange data with the Internet, including 
web sites within the World Wide Web portion 106 of the Internet. The voter computers 

5 102 may include one or more central processing units or other logic processing circuitry, 
memory, input devices (e.g., keyboards and pointing devices), output devices (e.g., 
display devices and printers), and storage devices (e.g., fixed, floppy, and optical disk 
drives), all well known but not shovm in Figure 1. The voter computers 102 may also 
include other program modules, such as an operating system, one or more application 

10 programs (e.g., word processing or spread sheet applications), and the like. As shown in 
Figure 1, there are number of voter computers 102, representing voters 1, 2, 3 . . . //. 

X server computer system 108 or "vote collection center," coupled to the 
Internet or Worid Wide Web ("Web") 106, performs much or all of the ballot collection, 
storing and other processes. A database 110, coupled to the server computer 108, stores 

15 much of the web pages and data (including ballots) exchanged between the voter 
computers 102, one or more voting poll computers 1 12 and the server computer 108. The 
voting poll computer 1 12 is a personal computer, server computer, mini-computer, or the 
like, positioned at a public voting location to permit members of the public, or voters who 
may not have ready access to computers coupled to the Internet 106, to electronically 

20 vote under the system described herein. Thus, the voter computers 102 may be 
positioned at individual voter's homes, where one or more voting poll computers 1 12 are 
located publicly or otherwise accessible to voters in a public election. The voting poll 
computer 112 may include a local area network (LAN) having one server computer and 
several client computers or voter terminals coupled thereto via the LAN to thereby permit 

25 several voters to vote simultaneously or in parallel. 

Under an altemative embodiment, the system 100 may be used in the 
context of a private election, such as the election of corporate officers or board members. 
Under this embodiment, the voter computers 102 may be laptops or desktop computers of 
shareholders, and the voting poll computer 1 12 can be one or more computers positioned 

30 within the company (e.g., in the lobby) performing the election. Thus, shareholders may 
visit the company to access the voting poll computer 1 12 to cast their votes. 
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One or more optional authority or organization computers 114 are also 
coupled to the server computer system 108 via the Internet 106. The authority computers 
1 14 each hold a key necessary to decrypt the electronic ballots stored in the database 110. 
Threshold cryptographic systems require that a subset t of the total number of authorities 
n (i.e., t<n) agree to decrypt the ballots, to thereby avoid the requirement that all 
authorities are needed for ballot decryption. The authority computers 114 may provide 
their decryption share to the server computer system 108 after the voting period ends so 
that the server computer system may decrypt the ballots and tally the results. 

The server computer 108 includes a server engine 120, a web page 
management component 122, a database management component 124, as well as other 
components not shown. The server engine 120 performs, in addition to standard 
functionality, the electronic voting protocol. The above encryption protocol may be 
stored on the server computer, and portions of such protocol also stored on the client 
computers, together with appropriate constants. Indeed, the above protocol may be stored 
and distributed on computer readable media, including magnetic and optically readable, 
and removable computer disks, as well as distributed electronically over the Internet or 
other networks. Those skilled in the relevant art will recognize that portions of the 
protocol reside on the server computer, while corresponding portions reside on the client 
computer. Data structures and transmission of data particular to the above protocol are 
also encompassed within the present invention. Thus, the server engine 120 may perform 
all necessary ballot transmission to authorized voters, ballot collection, verifying ballots 
(e.g., checking digital signatures and passing verification of included proofs of validity in 
ballots), vote aggregation, ballot decryption and/or vote tabulation. Under an alternative 
embodiment, the server engine 120 simply collects all electronic ballots as a data 
collection center. The electronic ballots are then stored and provided to a third party 
prganizatioii conducting the election, such as a municipality, together with tools to 
decrypt the tally and produce election results. 

The web page component 122 handles creation and display or routing of 
web pages such as an electronic ballot box web page, as described below. Voters and 
users may access the server computer 108 by means of a URL associated therewith, such 
as http:\\www. votehere.net, or a URL associated with the election, such as a URL for a 
municipality. The municipality may host or operate the server computer system 108 
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directly, or automatically forward such received electronic ballots to a third party vote 
authorizer who may operate the server computer system. The URL, or any link or 
address noted herein, can be any resource locator. 

The web page management process 122 and server computer 108 may have 
secure sections or pages that may only be accessed by authorized people, such as 
authorized voters or system administrators. The server computer 108 may employ a 
secure socket layer ("SSL") and tokens or cookies to authenticate such users. Indeed, for 
small elections, or those where the probability of fraud is low (or results of fraud are 
relatively inconsequential), the system 100 may employ such simple network security 
measures for gathering and storing votes as explained below, rather than employing 
complex electronic encrypted ballots, as described in the above-noted patent application. 
Methods of authenticating users (such as through the use of passwords), establishing 
. secure transmission connections, and providing secure servers and web pages are known 
to those skilled in the relevant art. 

The election scheme and system uses a "bulletin board" where each posting 
is digitally signed and nothing can be erased. See papers by K. Sako, J. Kihan, R. and 
Cramer, R. Gennaro, B. Schoenmakers. The bulletin board is implemented as a web 
server. The "ballot box" resides on the bulletin board and holds all of the encrypted 
ballots. Erasing can be prevented by writing the web server data to a write-once, read- 
many (WORM) permanent storage medium or similar device. Further details on such a 

bulletin board system are found in U.S. Patent Application No. , filed 

March 24, 2000, entitled Electronic Voting Scheme Employing Permanent Ballot Storage, 
assigned to the assignee of the present invention. 

Two embodiments of the system are described herein, which respectively 
employ a Zp (ElGamal) cryptosystem, an elliptic curve cryptosystem and cryptosystem 
imder general groups. Both cryptosystems employ public keys for asymmetrical 
cryptosystems. Public key systems employ so-called one-way functions and trap-door 
functions. A "one-way function" is a function that is relatively easy to calculate output 
therefrom but whose inverse functions are far more difficult to compute. For example, 
power functions are such that they are easy to compute the product of a number of equal 
factors, but the reverse operation of finding the root of a quantity, is more complicated. 
"Trap doof* functions are similar to one-way functions, but where the inverse functions 
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are extremely difficult unless some additional information is available. This additional 
information is typically the "private key" held by a party, such as a voter. 

ElGamal cryptosystem. The ElGamal cryptosystem introduced in 
W. Diffie, M. E. Helhnan, "New directions in cryptography," IEEE Transactions on 
5 Information Theory, 22(6):644i554, 1976; and improved on in T, ElGamal, "A public-key 
cryptosystem and a signature scheme based on discrete logarithms," IEEE Transactions 
on Information Theory, IT-31(4):469-472, 1985, is implemented for unique subgroups of 
Gg of order q of Z p , where p and q are large primes such that q divides p-l (/.e., q\p'iy 
The primes, p and q, and generator g of Gg are system parameters. The private key is 

10 designated as 5, which is selected at random from the group Z^, /.e., s e^Zp, with 
corresponding public key h being generated by: h~^. All calculations are modulo p 
unless otherwise noted. 

To encrypt a plaintext message m, the message is generated based on the 
group Gq, /.e., m e Gg, the sender party chooses a random munber, a ^^Zg, and sends the 

15 ciphertext {x;y) = {g^M^m) to the receiver. To decrypt the ciphertext, the receiver party 
uses their private key, 5, and recovers the plaintext as m =y/x'. 

Elliptic curve cryptosystem. The ElGamal cryptosystem can be 
implemented in elliptic curve as noted in N. Koblitz, "A Course in Number Theory and 
Cryptography," 2nd edition. Springer, 1994. Encipherment and decipherment under the 

20 elliptic curve embodiment may require less storage than that under the Zp embodiments. 
A publicly known fmite field, say Zp, elliptic curve E defined over Zp, arid a base point B 
6^ are defined as system parameters. The private key is s en Zp with corresponding 
public key //== 55. 

To encrypt a plaintext message m e Zp, the sender chooses a random 
25 number, aeR Zp, and sends the ciphertext (xji) = (off, Gm + cch) to the receiver; G^ eEis 
the encoding of m onto the elliptic curve E, To decrypt the ciphertext, the receiver uses 
their private key, s, and recovers the plaintext asGm^y-sx- {Gm + ah) - s(aBy 

1 . Proofs of Knowledge 

Because the system does not decrypt individual voted ballots during 
30 election tallying, the system must ensure that all ballots contain only allowable choices. 
This assurance can not be at the expense of voter privacy. The system employs three- 
move, zero-knowledge proofs where the voters supply a proof of validity alongside their 
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ballots. This proof of validity verifies that the encrypted ballot contains only allowable 
choices without disclosing information about which ballot choices were made. 

"Zero-knowledge proofs" allow a voter or prover party to demonstrate 
knowledge of a secret while revealing no information whatsoever of use to the verifier 
party in conveying this demonstration of knowledge. Only a single bit of information is 
conveyed, namely that the prover party actually does know the secret. In other words, a 
voter and a verifying authority exchange messages, where the voter's objective is to 
convince the verifier the truth of an assertion, e.g., that the encrypted ballot is complete 
and correct, without revealing how the voter voted on each element in the ballot. Under 
such zero-knowledge proofs, each voter effectively generates certain numbers that only a 
person having his or her own private key could generate. A verifier or authenticating 
party then confirms that each calculated number indeed is generated under a known 
algorithm to thereby authenticate the voter and that his or her electronic ballot is complete 
and correct or "well-formed" for all allowable choices and constraints. 

In order to make the protocol non-interactive, the system uses aspects of the 
Fiat-Shamir heuristic, which incorporates a hash function, H. The Fiat-Shamir heuristic 
allows conversion of the three-move, interactive protocol into a single, non-interactive 
data or ballot submission consisting of a (1) a statement, (2) a challenge (which is a hash 
of the statement), and (3) a response. Furthermore, in order to prevent vote-duplication, 
each challenge is made voter specific 

H(hi,x^,aj .,M!^,bi ...b^X (1) 

where hi is the public-key for voter K/. See, e.g,, N. Koblitz, above. The hash function H 
is effectively a public one-way function for checking message or ballot integrity. A hash 
fimction is a special function in the sense that it maps a set of input values of variable 
length and value onto a set of output values of a constant length. The hash function is 
pubUcized so that anyone can calculate the hash result and verify a received message. 
Many known hash functions may be employed, and may be collision-free, in that it is 
effectively impossible to construct two different messages with the same resulting hash 
code. 
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In the system's multi-way ballot scheme, a d-of-N option is converted 
instead into N, l-of-2 options (/.e., yes/no) and votes are accumulated for each option in 
parallel. Furthermore, in order to ensure that the ballot is well formed, the system 
enforces the c/-of-JV restriction in zero-knowledge. 
5 Proof of knowledge for discrete logs. This section describes proofs of 

knowledge for discrete logs using aspects of the techniques from the papers by 
R. Cramer, R. Gennaro, B. Schoenmakers and R. Cramer, 1. Damgrd, B. Schoenmakers, 
"Proofs of partial knowledge and simplified design of witness hiding protocols," 
Advances in Cryptology- CRYPTO *94, Lecture Notes in Computer Science, pp. 174-187, 
10 Springer- Verlag, Berlin, 1994. 

Consider a d-of-N vote, which consists of n ElGamal encryptions of the 
following form: 

(Xi^yd = (g^/^'^'G^O, with V, e {-1, 1}, 
where the prover knows the values of and V/. (One skilled in the art can observe that 
tfie values of 1 and -1 are not essential; other non-equal pairs may be used. For an 
15 example of this, see section 4.3 below.) To show that exactly (i of the /i are equal to 1 
and n-d of them are equal to -1, the prover first proves that at least d of the are 1, then 
proves that at least n-d of them are -1. The fnst part consist of a witness 
indistinguishable proof of knowledge of the relation that at least d of the following 
equalities are satisfied: 

log^i = log^/G 

20 (The second part is similar and will be omitted from this description.) 

This proof is constructed using aspects of the techniques noted in the paper 
by R. Cramer, I. Damgrd, B. Schoenmakers, by combining the proof of knowledge by 
Chaum and Pedersen and the secret sharing scheme by Shamir. By Lemma 1 noted in the 
paper by R. Cramer, R. Gennaro, B. Schoenmakers, the Chaum-Pedersen protocol 

25 satisfies the conditions for the construction noted in the paper by R. Cramer, I. Damgrd, 
B. Schoenmakers. 

The proof consists of n Chaum-Pedersen proofs where the challenges are 
considered shares in Shamir's secret sharing scheme. The protocol starts with the 
generation of n-d simulated Chaum-Pedersen proofs for log^/ = log^i/Gy for / where 
30 V/ 1, The challenges Si in these simulated proofs are selected at random by the prover 
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party or voter. The prover party then computes the first pass (Oiybi) for the rest of the 
Chaum-Pedersen proofs where V/ = 1 (also called real proofs). Under one embodiment 
explained below, all (;c/^y„a„fe,) are sent to the verifier party in return for a challenge c. 
(In the non-interactive version they are hashed along with a unique public string 

5 identifying the voter to form c.) 

Shamir's secret sharing scheme is then used to determine the challenges for 
the real proofs. This is done by interpolating a polynomial P over Zg with degree (n-d) or 
less that satisfies P(0) = c and P(i) = Si for each / such that v, 1, and setting each real 
challenge 5, to P(/). Finally the real proofs are completed. The prover party sends the 

10 values jc/, yt, a/, 6„ 5/, and n. Under an ahemative embodiment, 5/ is not sent; instead, the 
coefficients ot' the polynomial P are sent, as explained below. 

Verification is done by checking each Chaum-Pedersen proof separately 
and then verifying that there exists a polynomial P over Zg with degree (n - d) or less 
such that P(0) = c and P{I) = 5,. Under the alternative embodiment noted above, the 

15 interpolated polynomial is explicitly available in the proof The verifier party just checks 
that the values of it at corresponding valuation points are correct. Figures 2 and 3 show 
the complete ballot validity proof and verification as they are used in the election 
protocol. 

Referring to Figure 2, a ballot creation protocol or routine 200 is shown that 
20 is typically performed by the voter computer 102. In step 202, the voter computer 102 
generates a set of constants for each of nimiber i ballot initiatives, where each choice on 
the ballot is reduced to a single yes or no vote (/.e., V/ = 1 or = -1, respectively). Step 202 
(as well as steps 206 and 210) are divided by a vertical line, whereby the left hand 
column created by the line represents a yes vote (/.e., = 1), while the right hand column 
25 represents a no vote (/.e., =-1), or vice versa. The actual assignment of the yes vote = 1 
and a no vote = -1 is arbitrary. As shown in step 202, the voter computer 102 initially 
selects at random several constants firom the ring Z^, and therefirom generates the 
constants x, y, a and b, all as shown 

In step 204, the voter computer 102 applies a hash function H to all of these 
30 generated constants, as well as an identifier value for the voter or digital signature (ID), to 
generate a hash function result Cy. The voter computer 102 also interpolates a polynomial 
P over the ring Z,, such that the degree of the polynomial is less than or equal to the 

18 



wo 01/20562 



PCT/USOO/07737 



number of ballot options n minus the number of choices of those options t/. The value of 
P (o) is set as the result of the hash function, while P (J) = Sj,j for v, = -1. 

In step 206, the voter computer 102 generates the result of the polynomials 
5y,y, and therefrom generates new constants r, a, and b for a yes vote; for a no vote, the 
5 voter computer 102 simple generates the constants a and 6, all as shovra. 

In step 208, the voter computer 102 generates a new hash function result c^, 
and a new polynomial P2 that now has degree less than or equal to d. Additionally, P (0) 
is equal to the new result of the hash function and P (j) is equal to Sj,2 for a yes vote = 1. 

In step 210, the voter computer 102 generates the result of the new 
10 polynomial as s and therefrom generates the constant r 

In step 212, the voter computer 102 finally outputs a string of constants in a 
precise order, as shown in Figure 2. 

Referring to Figure 3, a verification protocol or routine 300 is shovm that is 
performed by the server computer system 108. In step 302, the server computer system 
15 receives the string of output values, in the exact order, as they were output under step 212 
above. In step 304, the server computer performs the public hash function on the string to 
determine if the result is equal to Cy. If so, the server computer determines whether there 
exists a polynomial selected from the ring Zg that has degree n - d. The server computer 
also then computes values a and b, and determines whether such computer values 
20 correspond to those received previously under step 302. Under an alternative 
embodiment, the server computer simply verifies values of the polynomial P(x) at values 
1, 2, 3 ... / and that the values at a and b are correct. 

In step 306, the server computer effectively performs the same steps, but for 
the no vote or -1 portion. 
25 Having described the above ballot formation and verification with respect to 

Figures 2 and 3, the remaining discussion is readily understandable by those skilled in the 
relevant art based on the following description as applied to the system of Figure L In 
general, ballot creation and proof of knowledge steps are performed by the voter 
computer 102, while verification and tallying steps are performed by the server computer 
30 system 108. Thus, for reasons of economy and clarity, the following discussion of the 
voting encryption protocol, including homomorphic encryption, threshold cryptosystems, 
and a multi-way election scheme are presented generally without direct reference to the 
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computing platforms of Figure 1. Those skilled in the relevant art will recognize that 
nearly all elements of the protocols described herein are performed by computers, except 
for the election preparation or generation of a ballot by an organization and the creation 
of choice or casting of the ballot by tiie voter (i.e., the actual himian choices made). The 
5 term "computer" as used herein refers to any data processing device, as described more 
fiiUy herein. 

The preceding covers the situation where a voter is required to vote for 
exactly <i of the w choices (where d represents the number of yes choices and d - n 
represents the number of no choices). However, this mediodology can be easily extended 

10 to a situation where a voter is asked to choose at most d from a set of n possible choices. 
To facilitate this, the ballot is constructed to return n + d decisions on the issue, instead of 
just n. By convention, the first n of these correspond to the n available decisions, while 
the last d of these all correspond to decisions known as "do not care." The do not care 
decisions are not expected to be tallied, however, when a voter proves that he or she has 

15 chosen exactly in this situation, the protocol also proves that he or she has selected at 
most d from the first n "achial decisions" in contrast to the last d "do not care" decisions. 
Those skilled in the relevant art will recognize that the same technique may readily 
extend to situations of the form: n choices, select "at least" dj and ''at most" d2. 

Proof of knowledge for elliptic curve. In this section, we describe proofs 

20 of knowledge for elliptic curves. We begin describing a public coin protocol for proving 
knowledge of an integer coeZ such that cdB = P. This is the discrete log problem on E, 
where £ is an elliptic curve over Zp and 5, P g E. Table 2 shows the protocol similar to 
C. P. Schnorr, Efficient signature generation by smart cards. Journal of Cryptology, 
4(3): 161-174, 1991. 

25 Lemma 1. The protocol of Table 2: Proof of knowledge for discrete log 

problem on elliptic curve E is a three-move, public coin [key?J proof of knowledge for 
the relation coB (the discrete log problem on elliptic curve E). The proof satisfies special 
soundness, and is special verifier honest-verifier zero-knowledge. In general, a proof is 
"sound" if there exists an expected polynomial-time algorithm, whereby if a dishonest 

30 prover impersonating a voter can with non-negligible probability successfully execute the 
protocol with another, such as the verifying authority, then the algorithm can be used to 
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extract from this prover knowledge which will, with overwhehning probability, allow 
successful subsequent protocol executions. 



Prover 




Verifier 


a^Ba 












r-a+c<o 




rB = a^Pc 



Table 2: Proof of knowledge for discrete log problem on elliptic curve E 
Proof, It is easily shown that 

rB^a + Pc 

{a-\-c€o)B = Ba'\-{(oB)c 
Special soundness holds because from two accepting conversations with the 
same first move {a,b,CurxX {a,b,C2\r2) and c^^c{,di witness ^ j can be extracted 
satisfying (jcj^) = {a)B,Q)h) . Honest-verifier zero-knowledge holas because, for random c 
and r, we have {Br - jcc, hr - yc,c,r) is an accepting conversation with the right 
distribution. Since the challenge c can be chosen freely, we also have special 
honest-verifier zero-knowledge. 

2. Homomorphic Encryption 

The homomorphic property is important for meetmg universal verifiability 
requirements in concert with threshold cryptosystems. We give a definition of this 
property here. 

Definition 1: Let G be a group, and let 5 and be sets, k keyed encryption 
E'GxS^H 

function on G is a fimction 

Definition 2; Widi the notation above, if// is a group (i.e. a set with 
arithmetic structure), and if the fimction £ satisfies 

Vm,,m2 eG,Va e5 3a,,a2e5 suchthat E{m^m^,a) = E(m^,a^)E{m^,a^) 
then £ is a homomorphic encryption function 

Definition 3: If S is also a group and if the stronger condition 

V/Wp/Wj €G,Va,,aj E{m^m,,a^a^)^ E{m,,a;)E{m^,a^) 
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then £ is a strongly homomorphic encryption function 

Note: Both definition 2 and definition 3 can be easily rephrased for groups 
whose binary operation is written in additive notation (usually the case for commutative 
groups). For example, if S and G are both written with additive notation, the equation of 
5 definition 3 becomes 

(here H is still using multiplicative notation). 

ElGamal homomorphism. For the Zp ElGamal cryptosystem, as noted 
above, given a fixed generator G g G^, the encryption of a message w g is 

Eim,a)^{g\h^G'") 

10 Hence, in definition 2, the group,//, can be taken to be Z^xZ^ with 

coordinate wise multiplication, and we have 

(2) 

E{m,-i-m,,a,'^a,) = ig''^'''\h''^'''^G'^''^)^i^^^ 

= E{m,,a^)E{m2,a2) 
So the ElGamal cryptosystem is strongly homomorphic. 

Further, if h^g\ md if {X,Y) = Eim,a) = ig\h''G"')is the encryption of 
15 some message, then we always have 

fr = >'/x' = (/i"G'")/(g'')' = G" 
Computation of the exponent, w, fi-om requires computation of a discrete 
log, which is difiQcult in general. However, because of the relatively small number of 
votes that will occxu- in application, /wwill be relatively small, and this discrete log can 
computed by simple trial and error. (Here anything less than about lO'Ms relatively 
20 small.) 

Elliptic curve homomorphism. Elliptic curve ElGamal cryptosystems also 
exhibit the required homomorphic property for the voting scheme. This can be verified 
exactly as in the Z^case by using// ^FxTfor a chosen elliptic curve F, and by using 
additive notation for the binary group operation of //instead of multiplicative notation 
25 which was used above. Comments regarding the computation of the discrete log apply 
again, modified only by changing multiplicative notation to additive notation. 
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3. Threshold Crvptosvstems 

The objective of a threshold cryptosystem is to share a private key, 5, 
among n members of a group such that messages can be decrypted when a substantial 
subset, r, cooperate - a (/, n) threshold cryptosystem. Protocols are defined to (1) 
generate keys jointly among the group, and (2) decrypt messages without reconstructing 
the private key. T. Pedersen, "A threshold cryptosystem without a trusted party," 
Advances in Cryptology - EUROCRYPT '91, Lecture Notes in Computer Science, pp. 
522-526, Springer- Verlag, 1991, describes both protocols for the ElGamal cryptosystem. 
This protocol extends that to the elliptic curve context. 

ElGamal threshold cryptosystem. Solutions to both the key generation 
and decryption protocols are given in the above reference. 

The key generation protocol results in each authority Aj possessing a share 
Sj 6 of a private key, s. The authorities A commit to these shares by posting the public 
key, hj = G'^ . Using Shamir's {t, «)-threshold scheme, noted in A, Shamir, "How to share 
a secret," Conmiunications of the ACM, 22(11):612-613, 1979, the private key can be 
recovered using Lagrange coefficients without any single authority learning the private 
key: 

. =i:V;.whereA,= fl JTY 
Proof. Evaluate the Lagrange interpolation for polynomials aty(0) and solve for fo^s, 

where/z) =/o +/iz + +^z'•^ 

By substituting z = Z/j, all terms in the sununation vanish except for the 
term, which is Sij, 

As described above, / authorities must cooperate to decrypt ciphertext (xj/) 
= {g^,h^m) without reconstructing the private key, s: 

1. Each authority Aj broadcasts cD^-x'^and proves in zero-knowledge 
that 

l0g^/»; =l0g,6>;. (5) 
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2, Let A denote any subset of / authorities who passed the zero- 
knowledge proof. Solve for the plaintext; m 

Proof. 

t 

m~y/x' -yl W 

>=l.;€A 

Elliptic curve threshold cryptosystem. We now adapt the above-noted 
protocols to the elliptic curve context. The key selection method is as follows: 

1. The authorities agree on system parameters: a finite field Zp, an 
elliptic curve E defined over Zp, and a base point B e E, 

2. Authority, A/, chooses private key sj €r Zp and computes hj = SjB. 
Let C(m, r) denote a bit conunitment to /t? e 0, 1 using random string r. A random string, 
ry, is chosen and Cj = C(//y;/}) is broadcast to all authorities. 

3. When all authorities have broadcast their conmiitment, each Aj opens 

Cj- 

4. The public key, /z, is computed as 
h^Yi^jy where •J = O private key. 

Proof 

h = Ylh.=s,B^-^s„B = BYls., 

After keys have been selected, the server computer system 108 distributes 
them to the authority computers 1 14 according to the following protocol: 

L Authority, Aj, chooses a random polynomial fj {z)eF^ of degree no 
greater than t - 1 such that j^{0) = Sj, Let 

fj (0 = Ao + Where m = Sj, (7) 
2. Aj computes Fjj = Bfj^ 7 0, . . . , r - 1 and broadcasts Fjj, j = 
0, . . . , / - 1. Note that Fj^q = hj is known beforehand through the key selection protocol 

(Le,,Fj,0=^Bfj^o = Bsj=-hj, 
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3. When all authorities have sent these / - 1 value; Aj sends Xjj =fj{i) 
secretly and a signature on XjjtoAk,k-l,.,.,n {Am keeps x^). 

4. Aj verifies that the share, xy, received from Af is consistent with 
previously published values by verifying 

(8) 



1=0 



Proof. 



= 5Uo+A.y+ - + W').since / (7) = x,, and 



1=0 



If the verification fails, Aj broadcasts that an error occurred, publishes Xjj, the signature, 
and stops. 

5. Authority Aj computes share Sj as the sum of all shares received in 
Step 3, ^ Si J . Aj signs public key h. 

6. When all authorities have signed public key h, a key authentication 
center verifies the signatures and makes a certificate showing that h is the group public 
key for the authority group. 

Extending the above to elliptic curves, / authorities must cooperate to 
decrypt ciphertext {x,y) = {aB,m+ah) without reconstructing the private key, s: 

1. Each authority Aj broadcasts o)j = xsj and proves in zero-knowledge 
that 

xhj=B(Dj (9) 

Proof 

xhj = Bq)j 
x(Bs,) = B(xs,) 
BxSj =BxSj. 
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2. Let A denote any subset of / authorities who passed the zero- 
knowledge proof Solve for the plaintext, m 



m 



Proof 



m 



y-sx 

y- Z V> ^=^" Z 

t 

y- 



(10) 



4. Multi-Way Election Scheme 

For support of several options per race, the voting protocol converts the 
d-of-N option into N, l-of-2 options and accumulate votes for each option separately. 
Furthermore, to ensure that the ballot is well-formed (i.e., conforms to the d-of-N 
restriction), a non-interactive proof is submitted with the ballot. This scheme increases 
the ballot size by 2(i/ + ;V) and the proof of validity by N. The voter submits an 
encrypted ballot to the ballot box accompanied by a zero-knowledge proof as explained 
above that verifies that the ballot is well-formed (i.e., only allowable choices). Votes are 
combined using homomorphic techniques as explained above into an encrypted tally. 
Using threshold encryption coordination by /-of-« authorities as also explained above, the 
encrypted tally is decrypted without disclosing of the private key. Finally, the tally is 
computed from the decrypted tally. 

4.1 Z g Formulation 

We now describe the election scheme in a discrete log context for 
subgroups. G,,of order q of Z],, where p and q are large primes such that q divides p - 1 
(i.e., q\p-l). The security of the scheme depends on tfie security of the ElGamal 
cryptosystem where the discrete logarithm is considered intractable. Those skilled in the 
relevant art will appreciate that p and q need not always be prime (but are often prime in 
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many practical applications). Nevertheless, the discussion herein employs prime values 
for p and q. 

Election preparation. To generate a ballot for an election, the system 
paranieters p, q, and fixed generators g, Gk ^Gg where l<k^N ballot options, are 
generated jointly by a subset of the authorities. Two more parameters yu, rik, Z* are also 
chosen for each ballot option to represent the decisions *yes' (y*) and *no' (wjt), (In order 
to simplify implementation, the N generators, Gk, as well as the N pairs yu, rik, may be 
chosen so that they are independent of k. That is, Ga=G, yk = yo and = wq, for all 
\<k<N . In fact, from a practical standpoint, it is most convenient to always use the 
values Gk^G = g, and;^* =j^o = 1 and Wjt = = -1 or =>'o = 1 and «a = '^o = 0, but the 
scheme will work essentially unchanged for any fixed pair of values in Zp, as long as, of 
course, yo # Wo- Finally, the authorities cooperate to generate a public key parameter, h, 
in the cychc subgroup generated by g, by using the secret sharing protocol described 
above. Since h e^g), // = / for some ^ g Z*, however, the secret sharing protocol 
ensures that s is not known by anyone. The authorities may, however, cooperate to 
compute y = x^ from any given value x without ever revealing information about s. 

Casting a ballot. To cast or create a voted ballot, an ElGamal encryption 
is made of each ballot option. For each voted ballot, /, cast in the election, and each 
ballot option, k, on the ballot, the encrypted message is G^*^'**', where Gu is the generator 
of G^preassigned to ballot option k, and b(i,k) g {y^,n^}is voted ballot i's choice on that 
ballot option. The encrypted voted ballot, 5,, is then of the form 

5, = {x,y, = {(g-(''^),/,«(''*)G*(' ^)))^ l^k^N. (11) 

where a(/,it)eZ* is chosen randomly by voter Vt, and kept secret. In addition to the 
ballot, a non-interactive proof of validity is submitted according to the protocol described 
above. 

Tallying. To tally the election, the votes are combined, exploiting the 
homomorphic property described above. For discrete logs, this involves multiplying all 
votes to obtain a single encrypted tally for option k, iX,Y)fc, The authorities jointly 
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execute the decryption protocol described above for iX,Y)k to obtain Wk = Gl' = YJ XI, 
where 

1=1 

where A'ltCy) and Ni^ri) are, respectively, the number of voters, Vi, who chose b(i,k) = a?^. 

5 (For the convenient parameter choices yk=' 1, n^- -I that will typically be used, T/^ is 
equal to the difference between the number of yes-votes and the number of no-votes for 
option k, -l<Tk< I) Once Wk has been found, Tk can be computed via a brute force 
discrete log search. As a small optimization, one can arrange up front to have the Tk 
satisfy a known linear equation, in which case the server computer can compute one of 

10 them directly from the others without a discrete log search. 

Summary. A summary of the steps imder the discrete log protocol method 
performed by the system 100 is: 

1. The authorities jointly generate the system parameters /?, g, Gk, yk. 
wjfe, and (for 1 < k<N). 

15 2. Voter Vi posts a ballot to the ballot box 

{(w,..)):.,={(?*".*""*'Grl 

where a{i,k) e„ Zj„b{i,k) e {y^ {yes),n^ («o)}and l^k^N. 

3. Voter Vi accompanies the ballot with a non-interactive proof of 
validity, POV,, to ensure that the ballot is well-formed. POVi is checked by the 

20 authorities. This check can be completed either during polling or after the polls close. 

4. When the polls close, the encrypted tally, (X, Y)k 

= (n.'=,'u.n!=,>'..»)' is formed. 

5. The authorities jointly execute the decryption protocol described 

above for {X,Y\ to obtain = G[* = /x;, where Tk satisfies equation 12, 1 < k ^ N. 
25 6. Find Tt by computing Gl,T = py^ +{l-p)n^,0^p^l,mtil Wk= G[; 

\<k£N-\. 

7. Compute T^, either by the previous search method, or by solving a 
known linear equation involving 7*, 1 ^ ^ ^ ^ - 1 . 
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8. For the unique value pk satisfying 7i = p^yt ^{i'Pk)^k^ publish the 
values Ni^) = pk and Nk{n) = l-pk as the total 'y^s votes' and *no votes' respectively for 
ballot option k. 

Universal Verification. To verify the election in the discrete log context, 
5 the following protocol is executed: 

1 . Using tally, T*, compute V, = C[* and check that = . 

2. For voter Vi, check POVi, This proves that each ballot is well- 
formed. 

3. Compute the product (-^.J'X =(nL^a'nM^'>) and check that 
10 {^,y)j^ is equal to the published values {XJX 

4. Check proofs of validity, submitted by the authorities, for the 
decryption protocol described above. This proves that Wk -y,^ I XI without reconstructing 
the authorities' private key s, 

5. Verify that NiJiy) and NiJin) satisfy equation 12. 

15 Furthermore, voter Vt can optionally be given the random number used to 

encrypt option k (/.e., a^j^). The random number can later be used to regenerate the 
ciphertext {x^xyi,k) = [g'^'^X'^G^ ) and compare it to the contents of the ballot box. This 
has the disadvantage that a,^ is a receipt for option k and could be used to convince a 
coercer, 

20 4.2 Elliptic Curve Formulation 

We now describe the election scheme in an elliptic curve context for a 
publicly known finite field Z^, elliptic curve E defmed over Zp and a base point g e E. 
The security of the scheme depends on the seciuity of computing discrete logs on elliptic 
curves which is likely to be more intractable than computing discrete logs in finite fields. 

25 See e.g., N. Koblitz, A Course in Number Theory and Cryptography, 2nd edition, 
Springer, 1994; A. M. Odlyzko, Discrete logarithms in finite fields and their 
cryptographic significance, Advances in Cryptology - EUROCRYPT '84, Lecture Notes 
in Computer Science, Springer- Verlag, 1984. 

Election preparation. The system parameters E and points g, Gu e E, as 

30 well as>';t, rik e Zq^ (where 1 < k ^ //ballot options, and qu is the order of the cyclic sub- 
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group generated by Gk) are generated jointly by a subset of the authorities. As in the Zp 
setting, one can choose to simphfy the implementation by choosing the N generators, Guy 
as well as the N pairs y^, nk\ so that they are independent of k. More specifically, it is 
most convenient to always use the values j^jt =>^o - 1 and rik- n^- -\, ov yk~ y^"^ 1 and 
nk^riQ^ 0. The parameter /? e <g > is also generated using the secret sharing protocol in 
essentially the same way it was generated in the Zp setting. 

Casting a ballot. To cast a ballot, an encryption is made of each ballot 
option. The message is bk Gu, where bk e {yiJ^yes), rik {no)} for option k. An encrypted 
ballot is then of the form 

Bi - {{x,k , y,k) fu^ I - { ( am g , a(a) h -h bO^k) G,)}\.,l<k<K (13) 

where a{i,k) e <g )' is chosen randomly by voter and kept secret. In addition to the 
ballot, a non-interactive proof of validity is submitted according to the protocol described 
above. 

Tallying. To tally the election, the votes are combined, exploiting the 
homomorphic property described above. For elliptic curves, this involves summing all 
votes to obtain a single encrypted tally for option k, {X,Y)k, 

The authorities jointly execute the decryption protocol described above for 
{X,Y)k to obtain Wi, TkGk^" Yw sX^, where Tk again satisfies equation 12, Again, once 
Wk has been found, Tk can be computed via a brute force search. The optimization of the 
Zp setting also applies here. 

Summary. A summary of the elliptic curve protocol method is: 

1. The authorities jointly generate the system parameters £*, g, Gk, yk , 
wjt, and h{fox\<.k<. N). 

2. Voter Vt posts a ballot to the ballot box 

{{xuk, yij) fk-x- {( a(/,fc) g , am h + bm Gk ) }^.« , 
where a/,jt e r Zp, b(i,k) e {yk (yes), rik {no)}, and \<^k<.N. 

3. Voter Vt accompanies the ballot with a non-interactive proof of 
validity, POVt, to ensure that the ballot is well-formed. POVi is checked by the 
authorities. This check can be completed either during polling or after the polls close. 
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4. When the polls close, the encrypted tally, {X,Y)k = (Li - i ^a, 2^/ = i 
y^X is formed. 

5. The authorities jointly execute the decryption protocol described 
above for (X,Y)k to obtain Wu ^TkGk^Yk- sXk, where Tk satisfies equation 12. 

5 6. Find Tu by computing TGkyT^pyk + {l -p)nkO<p< /, until = 

TGm, \ <k<N- 1. 

7. Compute 7^ either by the previous search method, or by solving a 
known linear equation involving Tk^ I <k<N'- I. 

8. For the unique value pk satisfying Tk ^Pkyu^il- Pk) «it, publish the 
10 values Nk(y) = Pk and Nf^n) - / - as the total *yes votes' and *no votes' respectively for 

ballot option k. 

Universal verification. To verify the election in the elliptic curve context, 
the following protocol is executed: 

1 . Using tally, Tk, compute = Tfi, and check that W^^W,, 
15 2. For voter I^, check POVf, This proves that each ballot is well- 

formed. 

3. Compute the sum (v^^,>'), =(Zl=i^»>.Z!=i^a) ^^^^^ 

4. Check proofs of validity, submitted by the authorities, for the 
20 decryption protocol of Section 2.5. This proves that Wk = Tk Gk without reconstructing 

the authorities' private key 5. 

5. Verify that Nj^) and Nk{n) satisfy equation 12. 

Furthermore, voter Vi can optionally be given the random nuihber used to 
encrypt option k {i.e., dj,k)). The random number can later be used to regenerate the 
25 ciphertext (jc^.*, yi^k) = {ciUk)g, ciUk)h + b{i,k)Gk) and compare it to the contents of the 
ballot box. This has the disadvantage that c^i^k) is a receipt for option k and could be 
used to convince a coercer. 

4.3 General Group Formulation 

Both the discrete log (Z^) formulation and the Elliptic Curve formulation 
30 are special cases of the following general setting. 
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Let £ be an encoding of an abstract group Q into some finite alphabet S. So 
Choosing any fixed element g e \C? induces an encoding Eg : Z -> S via the rule 

in fact, we have ^ : I*, where q = |<g>|. 

In the previous subsections, Q= Zp, E respectively. In both cases, the 
encoding, eoiQ was not explicitly stated, but it was implied. For example, little thought 
is necessary to realize that each voter, Vi, actually submits a bit-encoding of his ballot; Bt 
(see equations 11 and 13). (On digital computers now in use, Z = {0, 1}.) 

Having made a note of this simple, but important point, it can now be seen 
that both the Zp setting and the Elliptic Curve setting of the previous subsections can be 
interpreted in tiie general framework above. In the case of Z^, the binary group operation 
was written in multiplicative notation, while in the Elliptic Curve case, it was written in 
additive notation. Aside from this notational difference, the description of the multi-way 
election scheme in both settings is effectively identical. In each case, only the abstract 
group properties, and the particular bit-representation of the group were used. Thus, 
implementation of the multi-way election scheme is not limited to the two settings 
previously discussed. 

Referring to Figure 4, a general, overall, routine 400 for performing a multi- 
way election is shown. In step 402, an organization determines initial cryptographic 
parameters, such as a group {e.g., Zp or elliptic curve), a subgroup generator g, a size of 
the group G and a size of the generated subgroup q. This information is provided to a 
number n of tabulation authorities, whereby a subset of these authorities K are needed to 
decrypt ballots, as explained below. 

In step 404, the tabulation authorities T produce a public key h. In step 
406, a vote collection center, such as an organization or group operating the server 
computer system 108, employs the cryptographic parameters to encode a ballot and 
digitally sign that ballot. When a voter requests a ballot and provides proper 
authentication of any necessary registration information, the vote collection center 
provides an encoded ballot to the voter. More information on registering voters may be 

found in U.S. Patent No. , filed March 24, 2000, entitled "Method, Article and 
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Apparatus for Registering Registrants, Such as Voter Registrants," and assigned to the 
assignee of this application. Under step 406, the vote collection center also digitally 
signs or hashes each ballot distributed to a voter. 

In step 408, each voter verifies the digital signature or hash function result 

5 provided with the ballot to ensure the ballot has not been altered and was received from 
the appropriate vote collection center. Under step 408, each voter makes a decision d for 
each of the ballot options /, or each ballot option has one of two choices (yes or no, or 
or G The voter computer 102 then produces encrypted decisions <i„ and provides a 
validity proof based on the encrypted decisions. The validity proof ensures that some 

10 number k of options were correctly voted on so that all constraints on the ballot are 
satisfied. The proof of the validity may include the polynomial result 5/, or the 
coefficients of the polynomial T(x) (as explained below). The voter also includes his or 
her digital signature with the ballot and submits it to the vote collection center. 

In step 410, the vote collection center verifies the voter's eligibility and 

15 digital signature and verifies the proof of validity included with the ballot. If both of 
these checks pass, then the ballot is added to a "ballot box" which may be both a database 
containing all these ballots, as well as ballots written permanently to a write-once, read- 
many storage device, which is described in more detail in U.S. Patent No. , 

filed March 24, 2000, entitled "Electronic Voting Scheme Employing Permanent Ballot 

20 Storage" and assigned to the assignee in this application. After receiving a ballot (and 
possibly after verifying it), the vote collection center under step 410 provides a digitally 
signed receipt to the voter. Under an alternative embodiment, the vote collection center 
provides the digitally signed receipt to one or more of the tabulation authorities (as shown 
by the broken line 409 in Figure 4). The tabulation authorities may then add their own 

25 digital signatures before forwarding the receipt to the voter. Thus, the tabulation 
authorities may retain a collection of receipts provided by the vote collection center to 
verify that all ballots provided by voters have been included in the fmal tally. 

In step 412, the vote collection center aggregates the encrypted decisions 
after the polls close and produces an encrypted tally Ai, a copy of which is sent to each of 

30 the tabulation authorities T, In step 414, each of the tabulation authorities produce their 
decryption share Bi (A:), to the vote collection center. The tabulation authorities do not 
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transmit their secret keys. In steps 416 and 418, the vote collection center receives the 
decryption shares from the tabulation authorities and decrypts a result Si. 

In step 420, the vote collection center either by a brute force method 
determines the logo of the values 5/, or does a search of a previously computed and stored 

5 table of such computations, as described below. In step 422, the vote collection center 
pubUshes the encrypted voter ballots and signatures, voter validity proofs, authority 
validity proofs and results of the tally or election. Each voter may then verify that his or 
her ballot was included in the tally. In step 424, a third party or external audit/review 
organization may verify the results to ensure the election was performed without fraud. 

10 Under one embodiment, after each voter submits his or her encrypted ballot 

under step 408 to the vote collection center, the vote collection center under step 410 may 
issue a receipt to the voter that includes the digital signature of the vote collection center. 
This receipt, with a digital signature, provides indication or assurance to the voter that his 
or her ballot has been received. Under an alternative embodiment, the receipt provided 

15 by the vote collection center first passes through the tabulation authorities (/.e., the 
authority computers 114), who each add their own digital signatures to the receipt. 
Thereafter, the voter receives a receipt having digital signatures from not only the vote 
collection center but also the tabulation authorities. This allows the tabulation authorities 
to check receipts received from the vote collection center to ensure that the vote 

20 collection center has not deleted or omitted ballots from the resulting tally. 

4.4 Tabulation Search Enhancement 

One of the more time consuming operations required in the tabulation phase 
of the multi-way election scheme is the search for each Tjt. To make matters worse, this 
piece of the tabulation can not be started until after the polls are closed, unlike the 
25 validity verification and aggregation pieces, which can be carried out on each vote as it is 
received. This can cause a significant delay in posting the election results. 

This situation can be improved by making a time/space tradeoff. In other 
words, to improve processing time, memory or data storage space is required as explained 
below. Assume it is known sometime prior to tabulation, an upper bound L on the total 
30 number of votes cast in any precinct. For any 0 ^ a < 1, the server computer can 
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precompute and store quantities that allow it to compute each Ti (during the tabulation 
search stage) using at most + L^^^^ multiplications and at most a log {L) L^^ ' 
comparisons, instead of the L multiplications and L comparisons that are required by the 
straightforward approach. In other words, by precomputing such values, and storing them 

5 in an indexed fashion into a look-up table in the database 110, the server computer 
system 108 may more readily compute a tally under step 420 above. The procedure is 
described as follows: 

INPUT: A generator, g of a cyclic group, G, an element /? e G and an 
upper bound L on log^ h, (That is, knowledge that there exists an s with 0 <s <L such 

10 that / = 

OUTPUT: The value of s above. 
PROCEDURE: 

Precomputation. (Done once before tabulation.) 
1. Set /n = \Lf\ or the smallest integer greater than or equal to V^. 
15 2. Construct and store a sorted list of elements (/, ^) for 0 <j < m, 

sorted on the value of the second index. 

3. Compute and store ^= g"'". 

Search. (Done at tabulation time to fmd each T^.) 

Set = [L{\ " a)1 , and /= 0, For 0 </<//- 1 execute the 

20 following until /= 1. 

lf(j\y) is in the precomputed table, set ^ = /w + y, and / = 1 (retum). 
Otherwise, set 5;^ (iterate loop). 

Note that this tabulation search enhancement applies to the general group 
setting, since no special properties of Zp or Elliptic Curves were used. Even greater 
25 efficiencies are obtained for the typical election parameter choices where G*, yk, and n/c 
are all chosen to be independent of k In this case, the server computer need only 
precompute one table regardless of the number of ballot choices. 

Referring to Figure 5, a routine 500 performed by the server computer 
system 108 illustrates the above tabulation search enhancement. Under step 502, the 
30 server computer system 108 constructs and stores a sorted list of pairs (/, g) before all 
electronic ballots are received from voters or before the decrypted aggregated tally is 
received. The sorted list is sorted based on the second coordinate (/.e., g). The number 
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of values chosen are set at some memory storage space constraint. Thus, under step 502, 
the server computer 108 precomputes values ^ for values of > from 1 to a number chosen 
to match the constraint. 

Under step 504, the server computer system 108 successively generates 
5 values of the form h g ■'"> after the decrypted tally is received. In step 506, the server 
computer system 108 determines if the generated value from step 504 matches a 
previously computed and stored value in the list (based on the second coordinate). If not, 
then the routine 500 loops back to step 504. If yes, then the decrypted tally results under 
step 508. 

10 The following is a detailed example of the homomorphic voting protocol. 

In order to maximize the clarity of our presentation, several of the basic parameters used - 

for example, the number of voters, and the size of the cryptographic parameters - are 
much smaller than would be the case in practice. Nevertheless, the example helps 
explain important aspects of the system. The operations that must be performed in a full 
15 scale election occur in this downsized example, and are documented here. (Since the 
tabulation speedup methodology can only be illustrated on large quantities of data, it will 
not be presented here. Instead, a simple search is used in the final stage of tabulation.) 

5. Example: Election Initialization 

An organization must first agree on a ballot (a set of questions and 
20 allowable answers, a page layout, etc.), a group of eligible voters, a standard information 
encoding scheme (a pubUshed ASNl standard, HEX encoded, for example), and the basic 
cryptographic numerical parameters. It also agrees on who will be the set of tabulation 
authorities, and the threshold, /, for decryption. Optionally, it may also agree on a "ballot 
signing authority", whose responsibility it is to authenticate, via digital signature, the 
25 final encoded form of the ballot. Once agreement has been reached, all of this 
infomiation is encoded in the agreed upon format, and this data string is digitally signed 
by whatever parties are required to represent, as a group, the consensus of the 
organization. 

Under the following example, two voters vote on colors for a new flag, 
30 where a maximum number of two colors per voter may be selected. Three tabulation 
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authorities are used to decrypt the ballot, where only two of the three authorities are 
necessary for decryption. For the purposes of this example, we will assume that the 
essential parameters have been chosen as follows: 
Ballot 

• One Question 

- Question 1 Text: 

- Number of answers/choices: 4 

• Answer 1 Text: Blue 

• Answer 2 Text: Green 

• Answer 3 Text: Red 

• Answer 4 Text: Black 

' Max Positive: (Maximum "yes" answers/votes allowed) 2 
Eligible Voters: 2 

1. Name: VI 

2, Name: V2 
Tabulation Authorities: 3 

1. Name: Al, Index: 1 

2. Name: A2, Index: 2 

3. Name: A3, Index: 3 
Tabulation Threshold: / = 2 
Cryptographic Parameters 

• Group Arithmetic: Integer mutiplicative modular arithmetic 

• Prime Modulus: /7==47 

• Subgroup Modulus: q~23 

• Generators: g = 2 and G = 3. (From this it can be easily 
computed the inverse or "no/againsf ' vote for G, /.e., G"^ = 16.) 

• Public Key: h- g' where s is unknown, h is created by having 
the tabulation authorities execute the threshold secret sharing 
scheme explained herein. For sake of this example, let us say 
that h is detemiined to be 7. (Remember that this is a "toy" 
example. In this case 5 - 12 can be determined by brute force, 
since the cryptographic parameters were chosen to be too small 
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to be secure. In a real example, this would not be the case; it 
would be computationally impossible to determine s from the 
known value of//.) 

A separate signed, encoded ballot is also formed. The signature on this 
ballot is either the same group signature used on the election parameters, or the signature 
of the appointed "ballot signing authority", but the data contained in it may be a subset of 
the above data. At a minimum, the ballot encodes the values of the numerical 
cryptographic parameters /?, q, the exact sequence of questions, question text, 
allowable question answers, and question "max positives". Once this encoded ballot is 
signed, the election is ready to take place, 

6. Example: Voting 

6.1 Ballot Request and Transmission 

Sometime during die preset official polling time, the voters, Vi and Vj each 
independently submit a ballot request, along with authentication information. Assuming 
that authentication information passes the required tests, a ballot is delivered to the 
respective requester. Further information on authentication schemes may be found in 

U.S. Patent Application No. , filed March 24, 2000, entitled "Method, Article 

and Apparatus for Registering Registrants, Such as Voter Registrants," and assigned to 
the same assignee of this invention. On receiving the ballot, each voter first checks the 
signature to be sure it is valid. Assuming the signature check passes, the voter then 
decodes the ballot. From the ballot, the voters are able to determine that the expected 
response is the standard encoding of a particular sequence of seven distinct data elements. 
These are (in their precise order): 

1. A pair of integers (/i, t{) with 0 < lu n < 47 indicating (in encrypted 
fomi) the voter's choice for the answer This is an encryption of one of two 
values, which can be interpreted as "for or against" or "positive or negative" or "checked 
or unchecked". 

2. A pair of integers {k, rz) with 0 ^ r2 < 47 indicating (in encrypted 
form) the voter's choice for the answer 'Vreen'\ This is an encryption of one of two 
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values, which can be interpreted as "for or against" or "positive or negative" or "checked 
or unchecked". 

3. A pair of integers (/a, rj) with 0 ^ /s, < 47 indicating (in encrypted 
form) the voter's choice for the answer "Red". This is an encryption of one of two 

5 values, which can be interpreted as "for or against" or "positive or negative" or "checked 
or unchecked". 

4. A pair of integers (U, with 0 < U, < 47 indicating (in encrypted 
form) the voters choice for die answer "Black". This is an encryption of one of two 
values, which can be interpreted as "for or against" or "positive or negative" or "checked 

10 or unchecked". 

5. A pair of integers (/j, r^) with 0 < /s, rj < 47 indicating (in encrypted 
form) the voter's choice for the answer "Do Not Care 1 ". This is an encryption of one of 
two values, which can be interpreted as "for or against" or "positive or negative" or 
"checked or unchecked". This value will never affect the fmal tally of any of the four 

15 "real" responses - "Blue", "Green", "Red" or "Black". It is only present to support the 
proof of validity that the voter must also submit. 

6. A pair of integers {h, n) with 0 < n < 47 indicating (in encrypted 
form) the voter's choice for the answer "Do Not Care 2'\ This is an encryption of one of 
two values, which can be interpreted as "for or against" or "positive or negative" or 

20 "checked or unchecked". This value will never affect the final tally of any of the four 
"real" responses - "Blue", "Green", "Red" or "Black". It is only present to support the 
proof of validity that the voter must also submit. 

7. A proof of validity which demonstrates that among the six encrypted 
values above, there are exactly two which are encryptions of the value "checked" (also 

25 known as "for" or "positive"). This proof reveals no information about which two of the 
six are as such. In the case of this election, the form of the proof is a sequence of 42 
numbers, all in the range (0, 47) and in precise order. In other elections, a validity proof 
may consist of more or fewer numbers in total, but the count will be constant for each 
submitted ballot in a fixed election, and the numbers will always be submitted in precise 

30 order. 
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6.2 Decision Encryption 

For the sake of this example, let us assume that Vi wishes to cast a vote for 
"Blue" and a vote for "Black", and that V2 wishes to cast a vote for "Black" only. 

6.2.1 V} Encrypted Decisions 
1*' Decision 

V\ generates an exponent value e\, which is selected at random from the 
subgroup modulus of 23 integers, /.e., ei e/j Z23. For sake of example, say ei = 5. Since 
"Blue" is the first answer possibility, and since Vi wishes to vote "for" the choice "Blue", 
the first encrypted decision is given by 

(Xi,>;0 = (2\7^x3) = (32,37) (1) 

2"*' Decision 

Vi generates €2 Z23. For sake of example, say ^2 = 13. Since "Green" is 
the second answer possibility, and since Vi wishes to vote "against" the choice "Green", 
the second encrypted decision is given by 

(X2,>'2) = (2^',7^'xl6) = (14,24) (2) 

3'"'' Decision 

Vi generates sr Z23. For sake of example, say ^3 = 11. Since "Red" is 
the third answer possibility, and since Vi wishes to vote "againsf ' the choice "Red", the 
third encrypted decision is given by 

(^3,;^3) = (2^^7*'xl6) = (27,12) . (3) 

4'* Decision 

V\ generates €4 en Z23. For sake of example, say 64 = 20. Since "Black" is 
the fourth answer possibility, and since Vy wishes to vote "for" the choice "Black", the 
fourth encrypted decision is given by 

(X4,>^4) = (2'°,7''x3) = (6, 17) (4) 

5'* Decision 

This is an answer of type "Do Not Care". Vi generates €/? Z23. For sake 
of example, say = 17. Since V\ has voted "for*' two answer possibilities, and since 2 is 
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the "Max Positive" for this question, Vi must encrypt this as a choice "against". So the 
fifth encrypted decision is given by 

(^5,3^5) = (2^', 7^^x16) = (36, 2) (5) 

6^* Decision 

This is another answer of type "Do Not Care'\ Vi generates Z23. For 
5 sake of example, say = 10. Since Vi has voted "for" two answer possibilities, and 
since 2 is the "Max Positive" for this question, Vi must encrypt this as a choice "against". 
So the sixth encrypted decision is given by 

(;c6,^6)-(2^',7^^xi6) = (37,42) (6) 

6,2.2 Vo Encrvpted Decisions 
1^' Decision 

10 V2 generates ei Z23. For sake of example, say ei = 18. Since "Blue" is 

the first answer possibility, and since V2 wishes to vote "against" the choice "Blue", the 
first encrypted decision is given by 

ixuyi) = (2'\f' ^16) = (25,14) (7) 

2"^ Decision 

V2 generates €2 eg Z23. For sake of example, say 62 = 14. Since "Green" is 
15 the second answer possibility, and since V2 wishes to vote "against" the choice "Green", 
the second encrypted decision is given by 

(x2,;/2) = (2'', 7*^x16) = (28, 27) (8) 

3'^ Decision 

V2 generates ^3 Z23. For sake of example, say ea = 21. Since "Red" is 
the third answer possibility, and since V2 wishes to vote "against" the choice "Red", the 
20 third encrypted decision is given by 

(;c3,;/3) = (2^72^xi6) = (12,8) (9) 

4^^ Decision 

V2 generates €4 Z23. For sake of example, say 64 = 16. Since "Black" is 
the fourth answer possibility, and since V2 wishes to vote "for" the choice "Black", the 
fourth encrypted decision is given by 
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(X4,>^4) = (2^7^'x3) = (18, 16) (10) 

5'* Decision 

This is an answer of type "Do Not Care". V2 generates ^23. For sake 
of example, say = 4. Since V2 has voted "for" only one possibility, and since 2 is the 
"Max Positive" for this question, V2 must encrypt one of the "Do Not Care" answer 
5 choices as "for" and one "against". We may as well assume that he chooses to encode 
this one as "for", and the next one as "against". (Implementation of the alternative is only 
trivially different.) So the fifth encrypted decision is given by 

(x5,3^5) = (2^/x3) = (16,12) (11) 

6'*.Decision 

This is another answer of type "Do Not Care". V2 generates ee e/? Z23. For 
10 sake of example, say = 9. As noted above in the description of the previous decision, 
we may assume that this answer choice needs to be "against". So the sixth encrypted 
decision is given by 

(;c6,;^6) = (2',7^xl6) = (42,6) (12) 
63 Proof of Validity 

6.3.1 Fi Proof of Validity 

15 Voter Vi must prove that two of his encrypted decisions are encryptions of 

"for" and that four of his encrypted decisions are encryptions of "against". (Recall that 
nothing about the form of an encrypted decision prevents Vx from encrypting a value 
other than these two special values, so the second half of this criteria is not implied by the 
first. The full criteria is, however, implied if Vi can show that at least two of his 

20 encrypted decisions are encryptions of "for" and at least four of his encrypted decisions 
are encryptions of "against". Thus it is natural that the proof consist of two parts. 

Proof Part 1: At least two of the encrypted decisions are encryptions of 

"for". 

1. Vi sets ai, 06 to be the exponents he used to encrypt his 
25 corresponding decision. So in this exaniple: 
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ai=5,a2= 13, a3= 11,04 = 20,05= 17,06= 10 (13) 

2. Vi generates qju oh Z23, r-i, r^, rs, re e r Z23, ^2, -^s. ss, se Z23 
randomly. For this example we take 

fi?, =4, G)4=13 (14) 
r2=16.r3=17.r5 = 21,r6 = 9 

52 = 12, 53 = 4,5$= 15, 56 = 8 

3. Vi computes corresponding values 





fll -g 1 




2' =16 




02 = ^2X2 \ 




2'* xi4" = 12 








2'^ x27'' = 3 




04= g 4 




2''=14 




ai = ^iXs"i 




2^' x36* = 3 




^6 - ^6 X6 *6 




2^ x37'' = 12 




bi = h'", 




7^ = 4 




= h'2(y2fG)''2 




x(24/3)" = 25 








f x(12/3)" = 7 




64 = h^A 




7'' = 25 


bs 






7^' x(2/3)^ = 18 


b6 






f x(42/3)'^ = 16 



4. V\ uses an agreed upon hash function H to compute c e « Z23 

c = //({Xi,>/,,a„6,})l</<6 (15) 
5 Since many choices of the hash function are possible, for this example we can just pick a 
random value, say 

c=19 (16) 

5. V\ computes the interpolating polynomial P{x) of degree 6-2 = 4. 
The defining properties ofP are 

P(0) = c = 19 (17) 

P{2) = 52=12 
/>(3) = 5j=4 
P{5) = 5j = 15 
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P(6) = 56 = 8 

The technique for computing P{x) = Z)=o^j^-' is standard polynomial 

interpolation theory. Hence, rather than go through the steps of the computation here, we 
simply state the result: 

P{x) = 42x^ + 23xV 2x^+ 1 Ijc + 19 (18) 

zo = 19 z; = 77 Z2 = 2 (19) 
Zj =23 Z4 = 42 

6. Vi computes the values 

S7=P(1) = 3 s, = 5 (20) 

ri^ 0)1 + aiS\ = 4 + 5^1 = 19 

C04 + o^Sa = 13 + 2O54 = 21 

7. Part 1 of V\S validity proof consists of the 18 numbers 

{a,.b,,r,}U (21) 

and the four numbers 

{^k}U . (22) 

in precise sequence. Notice that zq need not be submitted, since it is computable from the 
other data elements submitted using the publish hash function H. The value P(0) may be 
readily computed based on the result of the hash function transmitted to the verifying 
party. Thus, this example explains another embodiment over that described above in 
section 1, which results in a 8% to 10% reduction in the size of each electronic ballot. In 
other words, the results of the polynomials Sj are not transmitted (^i and S4, in this 
example, for a savings of four numbers for the two parts of the proof). Instead, this 
embodiment transmits only the coefficients for the polynomials PQcYs. Rather than 
forcing the receiver party or voting authority to again perform standard polynomial 
interpolations as the voting party had to do previously, such redundant processing is 
avoided in this embodiment. 
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Proof Part 2: At least four of the encrypted decisions are encryptions of 

"against". 

The proof of part 2 can be obtained by following the same steps as were 
given in part 1 with the following simple substitutions: 
5 1. The indices 1 and 4 are now treated like the indices 2, 3, 5 and 6 

were treated in the Proof of Part 1 above, and visa versa. 

2. The value G (3) is interchanged with the value {i.e., 16) and visa 

versa. 

3. The degree of the interpolating polynomial P is now 6-4 = 2 instead 

10 of 4. 

4. The size of the proof is now 20 = 18 + 2 numbers, rather than 22 = 
18 + 4 numbers, as a result in the change of degree of the interpolation polynomial (not 
transmitting zs and z^, in this example). 

6.3.2 ^2 Proof of Validity 

15 The construction of V2S proof of validity follows essentially the same steps 

as were presented for I^i's proof of validity, so we only highlight the significant 
differences: 

1. For V2 the indices 4 and 5 play the role that the indices 1 and 4 

played for Vi. 

20 2. For V2 the indices 1, 2, 3 and 6 play the role that the indices 2, 3, 5 

and 6 played for 1^1. 

3. The randomly generated quantities are obviously different, in fact 

independent, 

6.4 Vote Submission 

25 Having computed the required six numerical pairs in sequence, and the 

corresponding proof of validity (parts 1 and 2), V\ and V2 each encode these elements, in 
sequence, as defined by the standard encoding format. The resulting sequences 
(belonging to Vi and V2 respectively) form each voter's encoded encrypted decision 
sequence, or voted ballot. Each voter then digitally signs his voted ballot with his private 
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signing key. For each voter, F^, (in this example / = 1, 2) the resulting combination of K/s 
voted ballot, and his digital signature (more precisely, the standard encoding of these two 
elements) forms his signed voted ballot. Finally, each voter transmits his signed voted 
ballot back to the data center collecting the votes. 

7. Example: Tabulation 
7.1 Verification 

Before the voted ballots are included in the collection to be tallied, they 
must first pass two verification checks. 
Signature Check 

First, the digital signature is checked to be sure it matches that of an eligible 
voter; in fact, it must match the signature of an eligible voter who has not already voted 
(i.e. has not aheady submitted a vote). 

Validity Verification 

The voted ballot must pass verification of the included proof of validity. 

Digital signature checking is a standard technique. For validity verification, 
the voted ballot must pass two checks, corresponding to parts 1 and 2 of the proof of 
vahdity. For part 1, the steps consist of: 

1. Compute the zero order coefficient of P, zo, by 

Zo = //({Jc,,;;,,a„fc,-})f.. =19 (23) 

2. For each 1 <7 < 6 both sides of the equations 

oj = /y^"^^ (24) 
bj = h'j(y/Gy'^ 

are evaluated. If equality fails in any of these, verification fails. This ballot is not 
included in the ballot box. 

In the case of this example, equation 23 holds since this was a basic 
assumption made about the arbitrary hash function H. (See equations 15 and 16.) As for 
the set of equations labeled 24, in this example they reduce to checking: 



16 = 2'^ X 32"^ 



4 = 7'^ X (37/3)"^ 
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12 = 2'^ X 14"'^ 25 = X (24/3)-'^ 

3 = 2''x27^ 7 = 7'^ X (12/3)-^ 

14 = 2^* X 6"' 25 = X (17/3)-^ (25) 

3 = 2^' X 36-'* 18 = 7^' X (2/3)-'^ 

12 = 2'x3r* 16 = 7' X (42/3)"' 

Verification of each of these 12 equations is a tedious but trivial matter. We leave it up 
to the reader to check them to his satisfaction. 

The steps required to verify part 2 are the same except that G~' = 16 is used 
in place of G = 3 and visa versa. 

7.2 Vote Aggregation 

The collection of votes that pass validity verification constitute the ballot 
box. For this example, we will assume that both the ballot belonging to V\ and the ballot 
belonging to Vi passed. Thus, in this example, the ballot box will consist of four pairs of 
encrypted decisions - each of these corresponding, in sequence, to a answer choice or 
option in the same sequence. 

Ballot Box 

BLUE (32, 37) ; (25, 14) 
GREEN (14, 24) ; (28. 27) 
RED (27. 12) ; (12, 8) 
BLACK (6, 17) ; (18, 16) 

An encrypted tally is formed for each of these by multiplying the pairs 
together component wise: 

Encrypted Tallies 

BLUE ((/,, Tx) = (1, 1) = (32 x 25, 37 x 14) 

GREEN (172. T2) = (16, 37) = (14 x 28. 24 x 27) 

RED (t/3, T3) = (42, 2) = (27 x 12, 12 x 8) 

BLACK (O,, 7^4) = (14, 37) = (6 x 18, 17 x 16) 

(Recall: operations are performed, in this example (mod 47). 
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7.3 Decryption 

The threshold secret scheme is now executed by the authorities. The end 
result of this is to compute the values C// for 1 <y ^ 4, where 5 is the secret value, without 
revealing information about s to anyone. Since this technique is standard, we do not 
illustrate it here, rather we note what the values must be (since in this toy example we do 
know 5 = 12 - see above). 





= i'^=i 


(26) 




= 16'^ = 4 




ui 


= 42'^ =18 






= 14'^ = 25 





From this we compute 

Vi = Ti/U\ = 1/1 = 1 (27) 

V2 = T2lU\ = 37/4 = 21 

V3 = T^/Ul = 2/18 = 21 

V^ = TJU', = 37/25 = 9 

7.4 Exponent Search 

By simple search (we would use the Tabulation Search Enhancement for 
large elections) we obtain (recall G = 3 for this election) 

= G° (28) 
V2 = 

= 

7.5 Linear Equation Solution 

Each exponent in equation 25 is exactly the difference between the number 
of "for" votes cast and the number of "against" votes cast for the corresponding answer 
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choice. Since we know the sum of the number of "for" votes and the number of "against" 
votes is always 2 (the nxmiber of ballots submitted), we can compute 

BLUE 1 vote "for" ; 1 vote "against" 

GREEN 0 votes "for" ; 2 votes "against" 
5 RED 0 votes "for" ; 2 votes "against" 

BLACK 2 votes "for" ; 0 votes "against" 

In other words, the final tally is 

BLUE 1 

GREEN 0 
10 RED 0 

BLACK 2 

8. Write-his 

Most candidate elections allow voters to "Avrite-in" a candidate instead of 
choosing a pre-registered candidate. This, often required, feature presents a unique 
15 challenge to election schemes. Here are solutions to the write-in problem. 

8.1 Preregistered Write-ins 

This scheme requires that all potential vmte-in candidates be registered 
with the election authority in advance of the election. A valid registration request 
consists of the candidate name, ballot (precinct) identifier and race identifier. Upon 

20 receipt of a registration request, the election authority generates the next candidate 
number for the indicated race and computes a unique encryption generator. The 
candidate name, ballot identifier, race identifier, candidate nimiber and generator are 
stored in a secxire data area. Prior to the start of the election, the registration service is 
closed and the information for all write-in candidates is merged mto the appropriate 

25 precinct ballots. 

The primary advantage of the pre-registration model is that all write-in 
candidate names appear on all ballots, and everyone casts a vote for or against every 
write-in candidate. Once the election begins, there is no difference between a write-in 
candidate and a candidate who is officially qualified to be on the ballot. Thus, write-in 
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candidate votes receive all of the security advantages inherent in the homomorphic 
encryption scheme. No information can leak about who voted for a particular write-in 
candidate and no special steps are required during the ballot submission half of the 
protocol. 

There are two major disadvantages to the pre-registration model. First, the 
pre-registration model is contrary to the way write-ins are currently handled in those 
jurisdictions where they are allowed. To use our scheme, the jurisdiction must decide to 
allow registration of write-in candidates prior to the election and to disallow submission 
of new write-in candidate names during the election. The resultant paradigm change may 
present political or legislative problems in some areas. Second, the registration process 
must sever the link between a write-in candidate name and the person submitting the 
name. Although such a linkage is not a guarantee that the person submitting the name 
will actually vote for the candidate, the probability is high - especially if the candidate 
receives only one vote. In any case, it is likely that voters will be uncomfortable with 
election officials knowing who registered write-in candidate names. A secure anonymous 
channel can be used to sever the link. However, this may expose the write-in registration 
system to denial-of-service-attacks, where the server is bombarded with registration 
requests. This denial-of-service attack will slow service and/or make the number of 
write-in candidates unmanageable or infeasible. 

The preferred implementation would use a verifiable anonymous protocol, 
such as a blind signature protocol. Permission to register a write-in candidate can then be 
restricted to registered voters, while still severing the link between the write-in candidate 
and the person registering the write-in. This does not entirely eliminate the possibility of 
malicious attacks, but does limit the damage to repeated "pinging" of the registration 
server (which is a vulnerability of any Internet-based service). If each registered voter is 
restricted to obtaining one authorization niunber through the blinding protocol, and each 
authorization number is restricted to submitting one write-in candidate name per race. 

8.2 Write-in Database 

This scheme requires a pre-existing database on an election server 
containing a record for each person eligible to hold any office appearing on the ballot. 
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The record contains the person's name, unique identifier (e.g., social security number) 
and an encryption generator. For any given race, the voter may fill in the name of a 
write-in candidate. The database is queried for that name, and if a match is found, the 
unique identifier and any necessary encryption data are used to form the vote for that 
5 candidate. 

Since the write-in candidate identifier is plainly visible on the encrypted 
ballot, any observer can conclude with high confidence that the person submitting the 
encrypted baUot voted yes for that write-in candidate. The conclusion is not 100% 
certain because a voter can submit a no vote for any write-in candidate appearing in the 

10 database. Under normal circumstances, this would be very unlikely. However, we can 
increase the uncertainty in several ways. First, we require submission of a write-in vote 
for all races. If the voter does not wish to vote for a write-in candidate for a particular 
race, then a random candidate name is selected from the database and a no vote is cast for 
that candidate. Second, we fixrther increase the imcertainty by placing the names of all 

15 write-in candidates selected so far into a pool from which subsequent random candidate 
names will be selected. This dramatically increases the chances that all write-in names, 
including the "real" ones, will be repeated in the ballots of multiple voters. Thus, 
information about who voted for a write-in candidate is concealed. The primary 
advantage to this scheme is that casting a vote for a write-in candidate is virtually 

20 identical to the traditional method. Write-in candidates need not be registered prior to the 
election - they can be selected during the election. Another potential advantage is that the 
database of all valid write-in candidates will help prevent misspellings and the casting of 
votes for bogus candidates. 

There are three major disadvantages of this method. First, the creation, 

25 maintenance and access of the database may not be practically feasible. For a national 
election, the database would have to contain the names of all U.S. citizens eligible for 
holding any office in the country. This would probably result in well over 100 million 
records of at least 50 bytes each, or 5 gigabytes of data. For local elections, it may be 
sufficient to have a database containing all citizens residing in the state who are above a 

30 certain age. This could still result in 500 megabytes of data or more for large states. 
There are significant issues surrounding the problems of obtaining the data and keeping it 
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current. If a name is not in the database, it cannot be used for a write-in vote. If the 
name has been omitted in error, there could be severe political fallout. 

Second, the database queries require a secure anonymous channel If the 
channel is not anonymous, the election authorities will be able to correlate an inquiry by 
name with a vote for the matching write-in candidate. In fact, an inquiry by name is itself 
a pretty good indicator that the voter will cast a yes vote for that write-in candidate. It 
would also be possible to do a correlation by eliminating all voters who made a random 
query to obtain a fake write-in name. Some concealment is possible by forcing all voters 
to make both a random inquiry and an inquiry by name. After at least one person votes, 
the names in the random selection list can be used for inquiries by name. However, it 
will be known to the authority whether the first voter did a random inquiry or an inquiry 
by name, and we cannot conceal the voter who made the first inquiry for a particular 
name. Once again, if a secure anonymous channel is used to prevent these leaks, then we 
open the database server to denial-of-service attacks. Thus, a verifiable anonymous 
protocol such as blind signatures is preferred. 

Third, although forcing everyone to vote for or against a write-in candidate 
in every race provides some conceahnent, there are several unavoidable information leaks 
at the boundary conditions. There is a very high probability, almost a certainty, that the 
fnst ballot submitted for a write-in candidate that receives at least one yes vote contains a 
yes vote for that candidate. One possible solution is to conceal the arrival order of the 
ballots fi-om everyone except the election authority by using a secure channel for casting 
votes, delaying publication of the votes until the polls close, and then shuffling the votes 
prior to publication on the bulletin board (or, they can simply be posted in alphabetical or 
numeric order). 

Unfortunately, the fake write-in and shuffling schemes cannot conceal the 
fact that the last voter voted yes for a new write-in candidate. Finally, if the number of 
ballots containing the same write-in candidate number is close to the number of yes votes 
for that candidate, the pool of persons voting for that candidate can be identified with 
enough certainty, to be potentially dangerous to that group. This is likely to happen in 
small jurisdictions and may happen as an accidental consequence of our random selection 
process. One way to plug the iirformation leaks in this scheme is to encrypt the write-in 
candidate numbers. That way, no one can identify who voted for or against any given 
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write-in candidate. However, the candidate number must be decrypted in order to 
perform the proof of validity and to determine the bin to which the encrypted vote should 
be added. One protocol would use standard public key encryption techniques: the 
candidate number would be encrypted with a randomly generated session key, which 
would in turn be encrypted with a shared public key. Another copy of the session key 
would be encrypted with the voter's public key for later use in verifying the candidate 
number in the optional voter verification process. 

When the polls close, write-in votes are forwarded to a special set of 
authorities called write-in authorities. The write-in authorities use a shared-key threshold 
scheme to decrypt the candidate numbers, such that at least t authorities would have to 
conspire to reveal the connection between a voter and his/her write-in candidate numbers. 
The write-in authorities perform the proof of validity for each write-in ballot and add it to 
the encrypted tally for that candidate. It is important to note that the vmte-in authorities 
are distinct from the tallying authorities and do not possess shares of the key used to 
decrypt the final tally. However, there is no protection against conspiracy among tallying 
authorities and write-in authorities. 

Although this approach has privacy advantages to the voter that casts a 
write-in candidate, it suffers from reduced accountability. Once the candidate number is 
masked, the audit trail is broken. An independent observer carmot verify that the vote 
was properly credited to the correct candidate because he/she cannot see the candidate 
number through the encryption on the original ballot. Therefore, the observer can not add 
up all the encrypted votes for a particular write-in candidate and verify that the it matches 
the encrypted tally for that candidate. Only the second set of authorities can do that, 
which is a weak form of verifiability. 

8.3 Write-in Proof of Validity 

In this section we show how it is possible to modify the voter proof of 
validity discussed in section 1 so that it may incorporate write-in votes. The methods of 
the previous subsections suffer from the drawback that no method for voter proof of 
validity is provided. This means that in order for the vote collection authority to accept a 
write-in response to a question, it must either accept on faith that the rest of the voter's 
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ballot is constructed properly (/.e. is well formed), or it must decrypt the individual 
decisions and verify ballot validity by inspection of the (unencrypted) contents. The 
former opens the election to significant voter fraud (a voter might, for example, cast 
1,000,000 votes for one "non-write-in" candidate, or cast a votes for more than d 

5 candidates). The latter eliminates the voter privacy associated with the basic 
homomorphic protocol. (See section 1 for definition aid.) 

On the other hand, the proof of validity variation outlined here allows the 
election to conducted with the full auditability and security properties of the multi-way 
election protocol described in section 4, when considering only the tally of (yes/no) 

10 decisions. The tally of write-ins must be handled by decrypting the individual vmte-ins, 
and for this reason, the write-in tally can not have the desirable properties of universal 
verifiability and voter privacy simultaneously. The organization can choose whether to 
emphasize privacy or external auditability. In either case, it may often be possible to 
dismiss the tally of the write-in votes entirely by simply counting the total number of 

15 votes cast and comparing them to the homomorphically computed decisions tallies. It 
may be easy to argue that the write-in votes could not possibly affect the outcome of the 
election, and hence that they may be remain encrypted and untallied. In such a situation, 
the election is imiversally verified, and all votes remain private. 

The key to making this work is that write-in votes are encrypted in the 

20 decisions formerly used as "don't care decisions." This is possible since ElGamal 
encryption allows for encryption of arbitrary messages m, not just messages of the form 
G'k or G"jt. A "write-in" decision is then encrypted in the form 

{x,y) = ig'',h''v) (29) 

where v is a standard text encoding of the voter's write-in vote. The value v = G"^ (w = -1 
in most of our examples) is agreed upon to be a special write-in value. It is special 
25 because it means "not a vote." (This is fme in practice, since the standard encoding of 
(fl^ will always be illegible in any spoken language.) 

Suppose that we now have a d-of-n issue where we wish to allow write-ins. 

The voter, Kperforms the following operations: 
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1. I^^s voted ballot contains n^d ElGamal encrypted values (as in 
section 1). 

2. The first n of these must be of the form (x j/) = ( , Z^"" G'' ) (where 
V yu (1) or V = «jt (-1); see sections 4.1 and 4.2.) ). Again, as in 
section 1, these encrypt the choices y^s/no'' or "for/against." 

3. Assuming Khas cast j "for" decisions in the previous step, Kmust 
now complete the remaining d decisions. This is done by the 
following rules 

a. At least w = max { 0 , c/ - y } of these must be of the form 

b. The remaining d - w may be encrypted using equation i for 
Vs chosen write-in string v. 

4. Kmust also submit a proof of validity with his voted ballot. This 
consists of 

a. A proof of knowledge that *'at least n of the decisions are of 
^ the form (x^) ^ { g"" , h"" (fk ).» Proof is identical to the 

second half of the proof described in section 1 (except that 
the value n referred to there is actually n^d in this case). 

b. For each of the first n encrypted decisions separately, V 
constructs a proof of knowledge that it is of the form {xy^ = ( 
f .H'G' ), where v = yu (1) or v = (-1). Each of these 
proofs can be seen as a 1-of-l proof as per section 1. 
(Alternatively, by applying the work of Cramer, Damgrd and 
Shoeiunakers, directly, one can shorten proofs of this type by 
a factor of 2.) 

The vote collection center performs the following operations: 

1. Verify each of the voter's separate proofs described above. The 
techniques for doing this are described in section 1. (Notice that 
these proofs taken together ensure that 

a. The n "homomorphic" decisions were each valid - that is they 
were not encryptions of multiple votes. 
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b. The sxim of the number of "for" homomorphic decisions cast 
by the voter, and the number of write-in decisions that were 
not "not-a-vote" is at most d. (Remember that an encryption 
of G"* in a write-in decision is interpreted as "not-a-vote.") 

2. Aggregates and decrypts encrypted "homomorphic" decisions (first n 
in the voter's voted ballot) as in section 4. 

3. Individually decrypts and tallies the remaining write-in decisions 
(last in the voter's voted ballot). This last step may be shared so as 
to functionally protect voter privacy. Full publication of these 
resuhs will make the election universally verifiable, but sacrifice 
voter privacy. 

One skilled in the art will appreciate that the concepts of the invention can 
be used in various environments other than the Internet. For example, the concepts can 
be used in an electronic mail environment in which electronic mail ballots or forms are 
processed and stored. In general, a web page or display description (e,g., the bulletin 
board) may be in HTML format, email format, or any other format suitable for displaying 
information (including character/code based formats, bitmapped formats and vector based 
formats). Also, various communication channels, such as local area networks, wide area 
networks, or point-to-point dial-up connections, may be used instead of the Internet. The 
various transactions may also be conducted within a single computer environment, rather 
than in a client/server environment. Each voter or client computer may comprise any 
combination of hardware or software that interacts with the server computer or system. 
These client systems may include television-based systems, Internet appliances and 
various other consumer products through which transactions can be performed. 

In general, as used herein, a "link" refers to any resource locator identifying 
a resource on the network, such as a display description of a voting authority having a site 
or node on the network. In general, while hardware platfomis, such as voter computers, 
teraiinals and servers, are described herein, aspects of the invention are equally 
applicable to nodes on the network having corresponding resource locators to identify 
such nodes. 

Unless the context clearly requires otherwise, throughout the description 
and the claims, the words 'comprise', 'comprising', and the like are to be construed in an 
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inclusive sense as opposed to an exclusive or exhaustive sense; that is to say, in the sense 
of "including, but not limited to". Words using the singular or plural number also include 
the plural or singular number, respectively. Additionally, the v/ords "herein", 
"hereunder", and words of similar import, when used in this application, shall refer to this 
application as a whole and not to any particular portions of this application. 

The above description of illustrated embodiments of the invention is not 
intended to be exhaustive or to limit the invention to the precise form disclosed. While 
specific embodiments of, and examples for, the invention are described herein for 
illustrative purposes, various equivalent modifications are possible within the scope of the 
invention, as those skilled in the relevant art vnll recognize. The teachings of the 
invention provided herein can be applied to other encryption applications, not necessarily 
the electronic voting system described above. 

The various embodiments described above can be combined to provide 
further embodiments. All of the above references and U.S. patents and applications are 
incorporated herein by reference. Aspects of the invention can be modified, if necessary, 
to employ the systems,^ functions and concepts of the various patents and applications 
described above to provide yet further embodiments of the invention. 

These and other changes can be made to the invention in Ught of the above 
detailed description. In general, in the following claims, the terms used should not be 
construed to limit the invention to the specific embodiments disclosed in the specification 
and the claims, but should be construed to include all encryption systems and methods 
that operate under the claims to provide data security. Accordingly, the invention is not 
limited by the disclosure, but instead the scope of the invention is to be determined 
entirely by the claims. 
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CLAIMS 



1. An electronic voting system for use with a computerized network, 

1 comprising: 

3 a plurality of voting computers coupled to the computerized network, wherein 

4 each voting computer provides an electronic encrypted ballot representing N number of 

5 votes, wherein each vote is a choice between two options and wherein N is greater than one, 

6 wherein each electronic ballot is encrypted under a discrete log asymmetric encryption 

7 process using underlying groups 2p or elliptic curve, and wherein each electronic ballot 

8 includes a non-interactive proof of validity that ensures the electronic ballot is well-formed; 

9 at least furst, second and third authority computers coupled to the computerized 

10 network that each include first, second and third cryptographic keys, respectively, and 

1 1 wherein at least two of the first, second and third keys are necessary for decrypting at least a 

12 portion of the plurality of electronic ballots, wherein the electronic ballots were encrypted 

13 under a threshold asymmetric encryption process; and 

14 a server computer system coupled to the computerized network, wherein the 

15 server computer system is configured to: receive the plurality of electronic ballots firpm the 

16 plurality of voting computers; verify the proof of validity of each of the plurality of 

17 electronic ballots; form an encrypted tally of the votes from the plurality of electronic 

18 ballots; transmit the encrypted tally to the fu-st, second and third authority computers; receive 

19 ballot decryption shares produced with the at least two of the first, second and third 

20 cryptographic keys and the encrypted tally by the first, second and third authority computers; 

21 and compute a decrypted tally based on the encrypted tally and the decryption shares. 

2. The system of claim 1, fiirther comprising: 

2 at least one voting poll computer coupled to the computerized network and 

3 providing another plurality of electronic encrypted ballots to the server computer system. 
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3. The system of claim 1, further comprising: 

2 at least one voting poll computer coupled to the computerized network, 

3 wherein the voting poll computer is coupled to a plurality of additional terminals over a 

4 network to receive, and provide to the server computer system, another plurality of electronic 

5 encrypted ballots, 

4. The system of claim 1 wherein the computerized network includes the 

1 World Wide Web, wherein each of the plurality of voting computers include a web browser 

2 program, and wherein the server computer system includes: 

4 ' at least two web server computers, each having at least one of the data storage 

5 devices, wherein at least one of the web server computers provides a ballot box web page for 

6 the plurality of voting computers to post their respective electronic ballots thereto. 

5. The system of claim 1 wherein the plurality of voter computers include 

1 at least one pahn-sized computer, cell phone, wearable computer, interactive television 

2 terminal or Internet appliance. 

6. A computer system for receiving a plurality of electronic ballots, 

1 comprising: 

3 a server computer configured to: 

4 receive a plurality of electronic ballots representing a multi-way election, 

5 wherein the multi-way election represents a choice of a d number of options selected from an 

6 N number of options, wherein N and d are greater than one and N is greater than d, and 

7 wherein each electronic ballot represents the multi-way election as N number of votes with 

8 each vote being a choice between two unequal choices, and wherein each electronic ballot is 

9 encrypted under a discrete log asymmetric encryption process using an underlying 

10 mathematical group; 

11 form an encrypted tally of the votes from the plurality of electronic ballots 

12 without decrypting any of the N number of votes on each of the plurality of electronic 

13 ballots; and 

59 



wo 01/20562 



PCT/USOO/07737 



14 compute a decrypted tally based on the encrypted tally without decrypting any 

15 of the N number of votes on each of the plurality of electronic ballots. 



7. The system of claim 6 wherein the electronic ballots are encrypted using 

1 Zp or elliptic curve groups and include a non-interactive proof of validity that ensures the 

2 electronic ballot is well-formed, wherein the server computer receives the electronic ballots 

3 from a communication network, and wherein the server computer is configured to: 

5 verify the proof of validity of each of the plurality of electronic ballots; 

6 transmit over the network the encrypted tally to authority computers; 

7 receive ballot decryption shares produced by at least a subset of authority 

8 cryptographic .keys and the encrypted tally; and 

9 decrypt the encrypted tally using the received ballot decryption shares. 

8. The system of claun 6 wherein the server computer is configured to: 

2 compute a series of base values for a log under the discrete log encryption 

3 process up to a predetermined amount corresponding to an upper bound on a total number of 

4 votes from the pluraUty of electronic ballots; 

5 store in memory the computed series of base values in a table before computing 

6 the decrypted tally; and 

7 decrypt the encrypted tally by comparing the stored values to the encrypted 

8 tally to produce the decrypted tally. 



9. The system of claim 6 wherein the electronic ballots include a non- 

1 interactive proof of validity, and wherein the server computer is configured to verify the 

2 proof of validity of each of the plurality of electronic ballots. 

10. The system of claim 6 wherein the electronic ballots include a non- 

1 interactive proof of validity that ensures the electronic ballot includes only N number of 

2 votes and d number of options without revealing which d of N options are selected, and 

3 wherein the server computer is configured to verify the proof of validity of each of the 

4 plurality of electronic ballots. 
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11. The system of claim 6 wherein the electronic ballots include write-in 

1 candidates. 

12. The system of claim 6 wherein the server computer is coupled to the 
1 Internet and receives therefrom the electronic ballots. 

13. The system of claim 6 wherein the wherein the server computer is 

1 configured to: 

3 transmit over the network the encrypted tally to authority computers; 

4 receive ballot decryption shares produced by at least a subset of authority 

5 cryptographic keys and the encrypted tally; and 

6 decrypt the encrypted tally using the received ballot decryption shares. 

14. The system of claim 6 wherein the electronic ballots are encrypted using 
1 a ring of integers, having a modulus integer value p. 

15. The system of claim 6 wherein the electronic ballots are encrypted using 
1 an elliptic curve group. 

16. The system of claim 6 wherein the server computer is configured to 
1 transmit a digitally signed receipt in response to each received electronic ballot. 

17. The system of claim 6 wherein the wherein the server computer is 

1 configured to: 

3 transmit to at least one third party vote verification authority a digitally signed 

4 receipt in response to each electronic ballot received from a voter, and wherein for each 

5 received receipt, the authority stores the receipt, adds another digital signature to the receipt 

6 and forwards the receipt to the voter. 



2 



18, An electronic voting method, comprising: 
selecting a subgroup generator g selected from a group G; 

61 



wo 01/20562 



PCTAJSOO/07737 



3 generating n number of secret authority keys and a public key h based on the 

4 group G and subgroup generator g; 

5 forming and distributing a plurality of initial electronic ballots to a plurality of 

6 voters based on the public key h, wherein the formed ballot includes N numbers of votes, 

7 wherein each vote is a choice between two options and wherein N is greater than one; 

8 for each ballot, 

9 encrypting each ballot under an asymmetric encryption process employing the 

10 group G, subgroup generator g, public key h, and a secret voter key, and 

11 performing and providing results of a non-interactive proof of validity that 

12 ensures the electronic ballot is well-formed; 

13 receiving the plurality of electronic ballots from the plurality of voters; 

14 verifying the proof of validity of each of the plurality of electronic ballots; 

15 forming an encrypted tally of the votes from the plurality of electronic ballots; 

16 distributing the encrypted tally for creation of decryption shares based on the 

17 secret authority keys; 

18 receiving the decryption shares from at least k niunber of the secret authority 

19 keys; and 

20 computing a decrypted tally based on the encrypted tally and the decryption 

21 shares. 

19. The method of claim 18 wherein encrypting each ballot includes 

1 encrypting each ballot using 2p or elliptic curve groups; 

3 and wherein distributing a plurality of initial electronic ballots, receiving the 

4 plurahty of electronic ballots, distributing the encrypted tally, and receiving the decryption 

5 shares dst all performed over a computer network. 

20. The method of claim 18, further comprising: 

2 determining an upper bound on a total number L of votes for the plurality of 

3 electronic ballots; and 

4 computing and storing L*^ niunber of values, wherein 0<a<l, and 

5 wherein computing a decrypted tally includes comparing the stored values to 

6 the encrypted tally to produce the decrypted tally. 
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21. The method of claim 18 wherein performing and providing results 

1 includes providing a non-interactive proof of validity that ensures the electronic ballot 

2 includes only N number of votes and d number of options without revealing which d of N 

3 options are selected. 

22. The method of claim 18 wherein the group G is Z^. 

23. The method of claim 18 wherein the group G is an elliptic curve group. 



24. The method of claim 18, further comprising transmitting digitally signed 

1 receipts in response to each received electronic ballot. 

25. The method of claim 18, further comprising: 

2 transmitting digitally signed receipts in response to each received electronic 

3 ballot to at least one third party vote verification authority; 

4 adding an authority digital signature to the receipt; and 

5 forwarding the receipt to the voter. 

26. A computer-readable medium providing instructions, when implemented 
1 by a voting computer perform an electronic voting method, comprising: 

3 receiving an initial electronic ballot representing a multi-way election, wherein 

4 the multi-way election represents a choice of z d number of options selected from an N 

5 number of options, wherein N and are greater than one and N is greater than d, and 

6 wherein the initial electronic ballot represents the multi-way election as N number of votes 

7 v/ith each vote being a choice between two unequal choices; 

^ 8 receiving N number of input choices from a voter to form a voted electronic 

9 ballot; 

10 encrypting the voted electronic ballot under a discrete log asymmetric 

1 1 encryption process using an underlying mathematical group; and 

12 providing the encrypted electronic ballot to an electronic ballot collector for 

13 aggregation into an encrypted tally of received encrypted electronic ballots. 
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27. The computer-readable medium of claim 26 wherein encrypting the 

1 voted electronic ballot includes encrypting using Zp or elliptic curve groups, and wherein the 

2 method includes: 

4 performing a non-interactive proof of validity on the voted electronic ballot 

5 that ensures the electronic ballot is well-formed, and 

6 wherein receiving the initial electronic ballot includes receiving the initial 

7 electronic ballot from a communication network, and providing the encrypted electronic 

8 ballot to an electronic ballot collector includes transmitting the encrypted electronic ballot 

9 over the network to an electronic ballot collection server computer. 

28. The computer-readable medium of claim 26 wherein the method 

1 includes: 

3 performing a non-interactive proof of validity on the voted electronic ballot 

4 that ensures the voted electronic ballot includes only N number of votes and d number of 

5 options without revealing which d of N options are selected. 

29. The computer-readable medium of claim 26 wherein the underlying 
1 mathematical group is a ring of integers, having a modulus integer value p {Zp). 

30. The computer-readable medium of claim 26 wherein the underlying 
1 mathematical group is an elliptic curve group. 

31. The computer-readable medium of claim 26, further comprising 
1 receiving a digitally signed receipt after providing the encrypted electronic ballot. 

32. The computer-readable medium of claim 26 wherein receiving an initial 

1 electronic ballot includes receiving a digital signature with the initial electronic ballot, 

2 wherein the digital signature is from the electronic ballot collector. 

33. The computer-readable medium of claim 26 wherein the computer- 
1 readable medium is an Intemet cormection link to the voting computer. 
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34. In an electronic voting method, a transmitted signal for use by an 
1 authority computer, comprising: 

3 an encrypted tally of electronic ballots representing a multi-way election, 

4 wherein the multi-way election represents a choice of a number of options selected from an 

5 N number of options, wherein N and are greater than one and N is greater than d, wherein 

6 each electronic ballot represents the multi-way election as N number of votes with each vote 

7 being a choice between two unequal choices, and wherein the encrypted tally comprises a 

8 plurality of the electronic ballots encrypted under a discrete log asymmetric encryption 

9 process using an underlying mathematical group and a public key h, and 

10 wherein the encrypted tally allows the authority computer to generate a 

11 decryption share based on one of a mmiber n of secret authority keys, and wherein at least a 

12 k number decryption shares, generated by k number the secret authority keys, are necessary 

13 to compute a decrypted tally based on the encrypted tally and the k number of decryption 

14 shares. 

35. The transmitted signal of claim 34 wherein each of the plurality of 

1 electronic ballots includes, before aggregation into the encrypted tally, a non-interactive 

2 proof of validity on the electronic ballot that ensures the electronic ballot includes only N 

3 number of votes and d number of options without revealing which d of N options are 

4 selected. 

36. The transmitted signal of claim 34 wherein each of the plurality of 

1 electronic ballots includes, before aggregation into the encrypted tally, a non-interactive 

2 proof of validity on the electronic ballot that ensures the electronic ballot includes only N 

3 number of votes and at most d number of options without revealing which of at most d of N 

4 options are selected. 

37. The transmitted signal of claim 34 wherein each of the plurality of 

1 electronic ballots includes, before aggregation into the encrypted tally, a non-interactive 

2 proof of validity on the electronic ballot that ensures the electronic ballot includes only N 

3 number of votes and d number of options without revealing which d of N options are 
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5 selected, and wherein at least one of the plurality of ballots in the encrypted tally includes a 

6 write-in candidate vote. 



38. The transmitted signal of claim 34 wherein the underlying mathematical 

1 group is a ring of integers, having a modulus integer value p (Zp), or an elliptic curve group. 

39. An electronic voting method, comprising; 

2 selecting a subgroup generator g selected from a group G and generating n 

3 number of secret authority keys and a public key h based on the group G and subgroup 

4 generator g; 

5 receiving a plurality of electronic ballots from a plurality of voters based on the 

6 public key h, wherein the formed ballot includes N numbers of votes, wherein each vote is a 

7 choice between two options and wherein N is greater than one, and wherein each ballot is 

8 encrypted under an asymmetric encryption process employing the group G, subgroup 

9 generator g, pubUc key h, and a secret voter key, and 

10 forming an encrypted tally of the votes from the plurality of electronic ballots; 

1 1 distributing the encrypted tally for generation of decryption shares based on the 

12 secret authority keys; 

13 receiving decryption shares based on at least k number of the secret authority 

14 keys; and 

15 computing a decrypted tally based on the encrypted tally and the received 

16 decryption shares. 

40. The method of claim 39, further comprising: 

2 determining an upper bound on a total number L of votes for the plurality of 

3 electronic ballots; and 

4 computing and storing L** number of values, wherein 0<a<l, and 

5 wherein computing a decrypted tally includes comparing the stored values to 

6 the encrypted tally to produce the decrypted tally. 



41 . The method of claim 39, further comprising verifying a proof of validity 
1 corresponding to each of the received plurality of electronic ballots, wherein each proof of 
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validity is a non-interactive proof of validity that ensures the electronic ballot includes only 
N number of votes and d number of options without revealing which d of N options are 
selected. 

42. The method of claim 39, further comprising verifying a proof of validity 
corresponding to each of the received plurality of electronic ballots, wherein each proof of 
validity is a non-interactive proof of validity that ensures the electronic ballot includes only 
N number of votes and at least d number of options without revealing which of at least d of 
N options are selected. 

43 . The method of claim 39, further comprising: 

verifying a proof of validity corresponding to each of the received plurality of 
electronic ballots, wherein each proof of validity is a non-interactive proof of validity that 
ensures the electronic ballot includes N number of votes and d number of options without 
revealing which d of N options are selected, and wherein at least some of the plurality of 
electronic ballots includp at least one of the d options as a write-in candidate; and 

after computing a decrypted tally, decrypting and tallying the write-in 

candidates. 

44. The method of claim 39 wherein the group G is a ring of integers, 
having a modulus integer value p, or an elliptic curve group. 

45. The method of claim 39, further comprising transmitting digitally signed 
receipts in response to each received electronic ballot. 

46. The method ofclaim 39, further comprising: 

transmitting digitally signed receipts in response to each received electronic 
ballot to at least one third party vote verification authority before the digitally signed receipt 
is provided to a voter. 
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47. The method of claim 39, further comprising transmitting electronic 

1 ballots for voting, wherein each transmitted electronic ballot includes a digital signature or 

2 output of a hash function appUed to the electronic ballot. 
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Figure 2: Ballot Encryption and Proof of Ballot Validity 
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